Fix block scoping error if an explicit block is broken by two

implicit blocks (.Aq Bq Po .Pc) that left the outer breaker open
and could in exceptional cases, like between .Bl and .It, cause
tree corruption leading to NULL dereference.
Found by tb@ with afl(1).

While here, do not mark intermediate ENDBODY markers as broken.

1 files changed, 6 insertions, 3 deletions

diff --git a/mdoc_macro.c b/mdoc_macro.c
index a7ec6739..5ab9c412 100644
--- a/mdoc_macro.c
+++ b/mdoc_macro.c
@@ -1,4 +1,4 @@
-/*	$Id: mdoc_macro.c,v 1.216 2017/02/16 03:00:23 schwarze Exp $ */
+/*	$Id: mdoc_macro.c,v 1.217 2017/02/16 09:47:31 schwarze Exp $ */
 /*
  * Copyright (c) 2008-2012 Kristaps Dzonsons <kristaps@bsd.lv>
  * Copyright (c) 2010, 2012-2017 Ingo Schwarze <schwarze@openbsd.org>
@@ -381,6 +381,10 @@ rew_elem(struct roff_man *mdoc, int tok)
 static void
 break_intermediate(struct roff_node *n, struct roff_node *breaker)
 {
+	if (n != breaker &&
+	    n->type != ROFFT_BLOCK && n->type != ROFFT_HEAD &&
+	    (n->type != ROFFT_BODY || n->end != ENDBODY_NOT))
+		n = n->parent;
 	while (n != breaker) {
 		if ( ! (n->flags & NODE_VALID))
 			n->flags |= NODE_BROKEN;
@@ -410,8 +414,7 @@ find_pending(struct roff_man *mdoc, int tok, int line, int ppos,
 		if (n->type == ROFFT_BLOCK &&
 		    mdoc_macros[n->tok].flags & MDOC_EXPLICIT) {
 			irc = 1;
-			break_intermediate(mdoc->last, n);
-			n->flags |= NODE_BROKEN;
+			break_intermediate(mdoc->last, target);
 			if (target->type == ROFFT_HEAD)
 				target->flags |= NODE_ENDED;
 			else if ( ! (target->flags & NODE_ENDED)) {