diff options
| author |   Ingo Schwarze <schwarze@openbsd.org> | 2014-12-18 19:23:41 +0000 |
|---|---|---|
| committer | Ingo Schwarze <schwarze@openbsd.org> | 2014-12-18 19:23:41 +0000 |
| commit | 229720cce01cf21062785d79f3458f2971523654 (patch) | |
| tree | 08ea5b5d77b285dafac74e2e7474c70d9475e0c7 | |
| parent | 22bd6b000952af1c83addbfd529269c26dd87c3a (diff) | |
| download | mandoc-229720cce01cf21062785d79f3458f2971523654.tar.gz mandoc-229720cce01cf21062785d79f3458f2971523654.tar.zst mandoc-229720cce01cf21062785d79f3458f2971523654.zip | |
When the head of a list item is extended with a partial explicit
macro (for example .Xo) and never closed again, the item ends up
without a body block. This can even happen for list types that
usually don't have heads in the first place. So even in this
case, check for the existence of the body before accessing it.
NULL pointer access found by jsg@ with afl.
| -rw-r--r-- | mdoc_validate.c | 14 |
1 files changed, 7 insertions, 7 deletions
diff --git a/mdoc_validate.c b/mdoc_validate.c index 7990ffe9..01b2f1b7 100644 --- a/mdoc_validate.c +++ b/mdoc_validate.c @@ -1,4 +1,4 @@ -/* $Id: mdoc_validate.c,v 1.263 2014/11/30 05:29:00 schwarze Exp $ */ +/* $Id: mdoc_validate.c,v 1.264 2014/12/18 19:23:41 schwarze Exp $ */ /* * Copyright (c) 2008-2012 Kristaps Dzonsons <kristaps@bsd.lv> * Copyright (c) 2010-2014 Ingo Schwarze <schwarze@openbsd.org> @@ -1197,7 +1197,7 @@ post_it(POST_ARGS) struct mdoc_node *nbl, *nit, *nch; nit = mdoc->last; - if (MDOC_BLOCK != nit->type) + if (nit->type != MDOC_BLOCK) return; nbl = nit->parent->parent; @@ -1213,7 +1213,7 @@ post_it(POST_ARGS) case LIST_inset: /* FALLTHROUGH */ case LIST_diag: - if (NULL == nit->head->child) + if (nit->head->child == NULL) mandoc_vmsg(MANDOCERR_IT_NOHEAD, mdoc->parse, nit->line, nit->pos, "Bl -%s It", @@ -1226,14 +1226,14 @@ post_it(POST_ARGS) case LIST_enum: /* FALLTHROUGH */ case LIST_hyphen: - if (NULL == nit->body->child) + if (nit->body == NULL || nit->body->child == NULL) mandoc_vmsg(MANDOCERR_IT_NOBODY, mdoc->parse, nit->line, nit->pos, "Bl -%s It", mdoc_argnames[nbl->args->argv[0].arg]); /* FALLTHROUGH */ case LIST_item: - if (NULL != nit->head->child) + if (nit->head->child != NULL) mandoc_vmsg(MANDOCERR_ARG_SKIP, mdoc->parse, nit->line, nit->pos, "It %s", nit->head->child->string); @@ -1241,10 +1241,10 @@ post_it(POST_ARGS) case LIST_column: cols = (int)nbl->norm->Bl.ncols; - assert(NULL == nit->head->child); + assert(nit->head->child == NULL); for (i = 0, nch = nit->child; nch; nch = nch->next) - if (MDOC_BODY == nch->type) + if (nch->type == MDOC_BODY) i++; if (i < cols || i > cols + 1) |