From 93ce0a9c79d688def63eaf7f78a889df8e518314 Mon Sep 17 00:00:00 2001
From: Ingo Schwarze <schwarze@openbsd.org>
Date: Thu, 11 Aug 2016 13:30:25 +0000
Subject: Even after switching from a pending head to the body, we have to
 continue scanning upwards, because the enclosing block might already be
 pending as well, e.g. .Bl .Bl .It Bo .El .It. Tree corruption leading to a
 later NULL deref found by tb@ with afl(1).

---
 mdoc_macro.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/mdoc_macro.c b/mdoc_macro.c
index ca959589..7c535760 100644
--- a/mdoc_macro.c
+++ b/mdoc_macro.c
@@ -1,4 +1,4 @@
-/*	$Id: mdoc_macro.c,v 1.206 2015/10/20 02:01:32 schwarze Exp $ */
+/*	$Id: mdoc_macro.c,v 1.207 2016/08/11 13:30:25 schwarze Exp $ */
 /*
  * Copyright (c) 2008-2012 Kristaps Dzonsons <kristaps@bsd.lv>
  * Copyright (c) 2010, 2012-2015 Ingo Schwarze <schwarze@openbsd.org>
@@ -292,7 +292,7 @@ rew_pending(struct roff_man *mdoc, const struct roff_node *n)
 			case ROFFT_HEAD:
 				roff_body_alloc(mdoc, n->line, n->pos,
 				    n->tok);
-				return;
+				break;
 			case ROFFT_BLOCK:
 				break;
 			default:
-- 
cgit v1.2.3-56-ge451