diff options
author | Ingo Schwarze <schwarze@openbsd.org> | 2014-08-18 16:36:54 +0000 |
---|---|---|
committer | Ingo Schwarze <schwarze@openbsd.org> | 2014-08-18 16:36:54 +0000 |
commit | b1980ad8f95c0b32e91275767b1c1d14b4249195 (patch) | |
tree | e763f0392c13c428834d20e7a8f03f15bcade932 | |
parent | d73c61d4aa397cdbeb0d0255f80bee01ee80e736 (diff) | |
download | mandoc-b1980ad8f95c0b32e91275767b1c1d14b4249195.tar.gz mandoc-b1980ad8f95c0b32e91275767b1c1d14b4249195.tar.zst mandoc-b1980ad8f95c0b32e91275767b1c1d14b4249195.zip |
When the first child of the node being validated gets deleted during
validation, man_node_unlink() switches to MAN_NEXT_CHILD. After
that, we have to switch back to MAN_NEXT_SIBLING after completing
validation, or subsequent parsing would add content into an already
closed node, clobbering potentially existing children, causing
information loss and a memory leak. Bug found by kristaps@ with
valgrind in groff(7) on Mac OS X.
Note that the switch back must be conditional, for if the node being
validated itself gets deleted, we must *not* go to MAN_NEXT_SIBLING,
which would not only yield wrong results in general but also crash
in malformed manuals having an empty paragraph before the first .SH,
for example OpenBSD c++filt(1).
-rw-r--r-- | man_macro.c | 15 |
1 files changed, 13 insertions, 2 deletions
diff --git a/man_macro.c b/man_macro.c index 3b273cdb..15eee493 100644 --- a/man_macro.c +++ b/man_macro.c @@ -1,4 +1,4 @@ -/* $Id: man_macro.c,v 1.88 2014/08/10 23:54:41 schwarze Exp $ */ +/* $Id: man_macro.c,v 1.89 2014/08/18 16:36:54 schwarze Exp $ */ /* * Copyright (c) 2008, 2009, 2010, 2011 Kristaps Dzonsons <kristaps@bsd.lv> * Copyright (c) 2012, 2013 Ingo Schwarze <schwarze@openbsd.org> @@ -100,7 +100,6 @@ man_unscope(struct man *man, const struct man_node *to) { struct man_node *n; - man->next = MAN_NEXT_SIBLING; to = to->parent; n = man->last; while (n != to) { @@ -139,11 +138,23 @@ man_unscope(struct man *man, const struct man_node *to) * Save a pointer to the parent such that * we know where to continue the iteration. */ + man->last = n; n = n->parent; if ( ! man_valid_post(man)) return(0); } + + /* + * If we ended up at the parent of the node we were + * supposed to rewind to, that means the target node + * got deleted, so add the next node we parse as a child + * of the parent instead of as a sibling of the target. + */ + + man->next = (man->last == to) ? + MAN_NEXT_CHILD : MAN_NEXT_SIBLING; + return(1); } |