From 0745d78af02f9484ee3018377936265fe41b4858 Mon Sep 17 00:00:00 2001
From: Ingo Schwarze <schwarze@openbsd.org>
Date: Wed, 29 Apr 2015 12:44:58 +0000
Subject: When the last line of a table layout turns out to be empty, it is
 deleted. Do not just free the struct tbl_row but also make sure that no
 pointer to it remains.  Fixing a use after free found by jsg@ with afl.

---
 tbl_layout.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/tbl_layout.c b/tbl_layout.c
index ed9acc9c..17029e13 100644
--- a/tbl_layout.c
+++ b/tbl_layout.c
@@ -1,4 +1,4 @@
-/*	$Id: tbl_layout.c,v 1.38 2015/02/10 11:03:13 schwarze Exp $ */
+/*	$Id: tbl_layout.c,v 1.39 2015/04/29 12:44:58 schwarze Exp $ */
 /*
  * Copyright (c) 2009, 2010, 2011 Kristaps Dzonsons <kristaps@bsd.lv>
  * Copyright (c) 2012, 2014, 2015 Ingo Schwarze <schwarze@openbsd.org>
@@ -308,6 +308,7 @@ tbl_layout(struct tbl_node *tbl, int ln, const char *p, int pos)
 				    rp->next->first == NULL) {
 					free(rp->next);
 					rp->next = NULL;
+					tbl->last_row = rp;
 				}
 			}
 			return;
-- 
cgit v1.2.3-56-ge451