From 3de89b5964cf432d6662b93d7c27429bf3c17691 Mon Sep 17 00:00:00 2001
From: Ingo Schwarze <schwarze@openbsd.org>
Date: Sat, 7 Feb 2015 16:42:33 +0000
Subject: Closing a block validates it, which may end up deleting it, so if we
 are in a loop over blocks, cleanly restart the loop rather than risking use
 after free; found by jsg@ with afl.

---
 mdoc_macro.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'mdoc_macro.c')

diff --git a/mdoc_macro.c b/mdoc_macro.c
index 158e1bbd..f04acb96 100644
--- a/mdoc_macro.c
+++ b/mdoc_macro.c
@@ -1,4 +1,4 @@
-/*	$Id: mdoc_macro.c,v 1.179 2015/02/06 07:13:14 schwarze Exp $ */
+/*	$Id: mdoc_macro.c,v 1.180 2015/02/07 16:42:33 schwarze Exp $ */
 /*
  * Copyright (c) 2008-2012 Kristaps Dzonsons <kristaps@bsd.lv>
  * Copyright (c) 2010, 2012-2015 Ingo Schwarze <schwarze@openbsd.org>
@@ -941,6 +941,7 @@ blk_full(MACRO_PROT_ARGS)
 					    mdoc_macronames[tok],
 					    mdoc_macronames[n->tok]);
 					rew_pending(mdoc, n);
+					n = mdoc->last;
 					continue;
 				case MDOC_It:
 					/* Delay in case it's astray. */
-- 
cgit v1.2.3