From f1acc1f1ed19c62e0f3916a557e5841e0392cd7a Mon Sep 17 00:00:00 2001
From: Ingo Schwarze <schwarze@openbsd.org>
Date: Sat, 11 Feb 2017 14:11:17 +0000
Subject: [PATCH] Do not prematurely close .Nd containing a broken child. Fixes
 tree corruption leading to NULL dereference in insane cases like .Oo Oo .Nd
 .Pq Oc .Oc Oc found by tb@ with afl(1).

---
 NEWS         |  6 ++++--
 mdoc_macro.c | 12 +++++++++---
 2 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/NEWS b/NEWS
index d2084a21..5df3da51 100644
--- a/NEWS
+++ b/NEWS
@@ -1,4 +1,4 @@
-$Id: NEWS,v 1.16 2017/02/10 16:20:34 schwarze Exp $
+$Id: NEWS,v 1.17 2017/02/11 14:11:17 schwarze Exp $
 
 This file lists the most important changes in the mdocml.bsd.lv distribution.
 
@@ -53,8 +53,10 @@ Changes in version 1.14.1, released on February XXX, 2017
  * mdoc(7): Fix syntax tree corruption leading to NULL dereference
    caused by .Ta following a nested .Bl -column breaking another block.
  * mdoc(7): Fix syntax tree corruption sometimes leading to NULL
-   dereference caused by indirectly broken .Nm blocks in the SYNOPSIS.
+   dereference caused by indirectly broken .Nd or .Nm blocks.
  * mdoc(7) -Thtml: Fix a NULL dereference for .Bl -column with 0 columns.
+ * mdoc(7): Fix NULL dereference in some specific cases of a
+   block-end macro calling another block-end macro.
  * mdoc(7): Fix NULL dereference if the only child of the head
    of the first .Sh was an empty in-line macro.
  * mdoc(7): Fix an assertion failure for a .Bd without a type that
diff --git a/mdoc_macro.c b/mdoc_macro.c
index 3326add6..a1cea0ef 100644
--- a/mdoc_macro.c
+++ b/mdoc_macro.c
@@ -1,4 +1,4 @@
-/*	$Id: mdoc_macro.c,v 1.213 2017/02/11 13:24:12 schwarze Exp $ */
+/*	$Id: mdoc_macro.c,v 1.214 2017/02/11 14:11:17 schwarze Exp $ */
 /*
  * Copyright (c) 2008-2012 Kristaps Dzonsons <kristaps@bsd.lv>
  * Copyright (c) 2010, 2012-2016 Ingo Schwarze <schwarze@openbsd.org>
@@ -647,10 +647,16 @@ blk_exp_close(MACRO_PROT_ARGS)
 			break;
 		}
 
-		/* Explicit blocks close out description lines. */
+		/*
+		 * Explicit blocks close out description lines, but
+		 * even those can get broken together with a child.
+		 */
 
 		if (n->tok == MDOC_Nd) {
-			rew_last(mdoc, n);
+			if (later != NULL)
+				n->flags |= NODE_BROKEN | NODE_ENDED;
+			else
+				rew_last(mdoc, n);
 			continue;
 		}
 
-- 
2.47.1