From d63e18d2a47de821b302e3d98f4dd17bdcab95f9 Mon Sep 17 00:00:00 2001
From: Ingo Schwarze <schwarze@openbsd.org>
Date: Thu, 1 Jan 2015 15:36:08 +0000
Subject: Don't dereference NULL pointers when formatting missing denominators,
 subscripts, superscripts, or "from" or "to" arguments. Found by jsg@ with
 afl.

---
 eqn_term.c | 21 ++++++++++++---------
 1 file changed, 12 insertions(+), 9 deletions(-)

(limited to 'eqn_term.c')

diff --git a/eqn_term.c b/eqn_term.c
index 010a152e..5f2818b4 100644
--- a/eqn_term.c
+++ b/eqn_term.c
@@ -1,7 +1,7 @@
-/*	$Id: eqn_term.c,v 1.7 2014/10/12 14:49:39 schwarze Exp $ */
+/*	$Id: eqn_term.c,v 1.8 2015/01/01 15:36:08 schwarze Exp $ */
 /*
  * Copyright (c) 2011 Kristaps Dzonsons <kristaps@bsd.lv>
- * Copyright (c) 2014 Ingo Schwarze <schwarze@openbsd.org>
+ * Copyright (c) 2014, 2015 Ingo Schwarze <schwarze@openbsd.org>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -79,14 +79,17 @@ eqn_box(struct termp *p, const struct eqn_box *bp)
 		     bp->pos == EQNPOS_TO) ? "^" : "_");
 		p->flags |= TERMP_NOSPACE;
 		child = child->next;
-		eqn_box(p, child);
-		if (bp->pos == EQNPOS_FROMTO ||
-		    bp->pos == EQNPOS_SUBSUP) {
-			p->flags |= TERMP_NOSPACE;
-			term_word(p, "^");
-			p->flags |= TERMP_NOSPACE;
-			child = child->next;
+		if (child != NULL) {
 			eqn_box(p, child);
+			if (bp->pos == EQNPOS_FROMTO ||
+			    bp->pos == EQNPOS_SUBSUP) {
+				p->flags |= TERMP_NOSPACE;
+				term_word(p, "^");
+				p->flags |= TERMP_NOSPACE;
+				child = child->next;
+				if (child != NULL)
+					eqn_box(p, child);
+			}
 		}
 	} else {
 		child = bp->first;
-- 
cgit v1.2.3-56-ge451