diff options
| author |   Ingo Schwarze <schwarze@openbsd.org> | 2015-04-29 12:44:58 +0000 |
|---|---|---|
| committer | Ingo Schwarze <schwarze@openbsd.org> | 2015-04-29 12:44:58 +0000 |
| commit | 0745d78af02f9484ee3018377936265fe41b4858 (patch) | |
| tree | 737e2c42d5a8c3e1532c93ba2bb70c87268978fa | |
| parent | 973dc20bd12937b90f98a0ba7c750c4f7b189719 (diff) | |
| download | mandoc-0745d78af02f9484ee3018377936265fe41b4858.tar.gz mandoc-0745d78af02f9484ee3018377936265fe41b4858.tar.zst mandoc-0745d78af02f9484ee3018377936265fe41b4858.zip | |
When the last line of a table layout turns out to be empty, it is deleted.
Do not just free the struct tbl_row but also make sure that no pointer
to it remains. Fixing a use after free found by jsg@ with afl.
| -rw-r--r-- | tbl_layout.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/tbl_layout.c b/tbl_layout.c index ed9acc9c..17029e13 100644 --- a/tbl_layout.c +++ b/tbl_layout.c @@ -1,4 +1,4 @@ -/* $Id: tbl_layout.c,v 1.38 2015/02/10 11:03:13 schwarze Exp $ */ +/* $Id: tbl_layout.c,v 1.39 2015/04/29 12:44:58 schwarze Exp $ */ /* * Copyright (c) 2009, 2010, 2011 Kristaps Dzonsons <kristaps@bsd.lv> * Copyright (c) 2012, 2014, 2015 Ingo Schwarze <schwarze@openbsd.org> @@ -308,6 +308,7 @@ tbl_layout(struct tbl_node *tbl, int ln, const char *p, int pos) rp->next->first == NULL) { free(rp->next); rp->next = NULL; + tbl->last_row = rp; } } return; |