From f1acc1f1ed19c62e0f3916a557e5841e0392cd7a Mon Sep 17 00:00:00 2001
From: Ingo Schwarze <schwarze@openbsd.org>
Date: Sat, 11 Feb 2017 14:11:17 +0000
Subject: Do not prematurely close .Nd containing a broken child. Fixes tree
 corruption leading to NULL dereference in insane cases like .Oo Oo .Nd .Pq Oc
 .Oc Oc found by tb@ with afl(1).

---
 mdoc_macro.c | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

(limited to 'mdoc_macro.c')

diff --git a/mdoc_macro.c b/mdoc_macro.c
index 3326add6..a1cea0ef 100644
--- a/mdoc_macro.c
+++ b/mdoc_macro.c
@@ -1,4 +1,4 @@
-/*	$Id: mdoc_macro.c,v 1.213 2017/02/11 13:24:12 schwarze Exp $ */
+/*	$Id: mdoc_macro.c,v 1.214 2017/02/11 14:11:17 schwarze Exp $ */
 /*
  * Copyright (c) 2008-2012 Kristaps Dzonsons <kristaps@bsd.lv>
  * Copyright (c) 2010, 2012-2016 Ingo Schwarze <schwarze@openbsd.org>
@@ -647,10 +647,16 @@ blk_exp_close(MACRO_PROT_ARGS)
 			break;
 		}
 
-		/* Explicit blocks close out description lines. */
+		/*
+		 * Explicit blocks close out description lines, but
+		 * even those can get broken together with a child.
+		 */
 
 		if (n->tok == MDOC_Nd) {
-			rew_last(mdoc, n);
+			if (later != NULL)
+				n->flags |= NODE_BROKEN | NODE_ENDED;
+			else
+				rew_last(mdoc, n);
 			continue;
 		}
 
-- 
cgit v1.2.3