diff options
| author |   Ingo Schwarze <schwarze@openbsd.org> | 2016-08-11 13:30:25 +0000 |
|---|---|---|
| committer | Ingo Schwarze <schwarze@openbsd.org> | 2016-08-11 13:30:25 +0000 |
| commit | 93ce0a9c79d688def63eaf7f78a889df8e518314 (patch) | |
| tree | 35a93e7b1eb9bfd1160f562dc1d8ec1f379b6fd4 | |
| parent | 15c96eb6113292c0b0b6020583a73f19e8d1411a (diff) | |
| download | mandoc-93ce0a9c79d688def63eaf7f78a889df8e518314.tar.gz mandoc-93ce0a9c79d688def63eaf7f78a889df8e518314.tar.zst mandoc-93ce0a9c79d688def63eaf7f78a889df8e518314.zip | |
Even after switching from a pending head to the body, we have to
continue scanning upwards, because the enclosing block might already
be pending as well, e.g. .Bl .Bl .It Bo .El .It.
Tree corruption leading to a later NULL deref found by tb@ with afl(1).
| -rw-r--r-- | mdoc_macro.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/mdoc_macro.c b/mdoc_macro.c index ca959589..7c535760 100644 --- a/mdoc_macro.c +++ b/mdoc_macro.c @@ -1,4 +1,4 @@ -/* $Id: mdoc_macro.c,v 1.206 2015/10/20 02:01:32 schwarze Exp $ */ +/* $Id: mdoc_macro.c,v 1.207 2016/08/11 13:30:25 schwarze Exp $ */ /* * Copyright (c) 2008-2012 Kristaps Dzonsons <kristaps@bsd.lv> * Copyright (c) 2010, 2012-2015 Ingo Schwarze <schwarze@openbsd.org> @@ -292,7 +292,7 @@ rew_pending(struct roff_man *mdoc, const struct roff_node *n) case ROFFT_HEAD: roff_body_alloc(mdoc, n->line, n->pos, n->tok); - return; + break; case ROFFT_BLOCK: break; default: |