From b1980ad8f95c0b32e91275767b1c1d14b4249195 Mon Sep 17 00:00:00 2001 From: Ingo Schwarze Date: Mon, 18 Aug 2014 16:36:54 +0000 Subject: When the first child of the node being validated gets deleted during validation, man_node_unlink() switches to MAN_NEXT_CHILD. After that, we have to switch back to MAN_NEXT_SIBLING after completing validation, or subsequent parsing would add content into an already closed node, clobbering potentially existing children, causing information loss and a memory leak. Bug found by kristaps@ with valgrind in groff(7) on Mac OS X. Note that the switch back must be conditional, for if the node being validated itself gets deleted, we must *not* go to MAN_NEXT_SIBLING, which would not only yield wrong results in general but also crash in malformed manuals having an empty paragraph before the first .SH, for example OpenBSD c++filt(1). --- man_macro.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) (limited to 'man_macro.c') diff --git a/man_macro.c b/man_macro.c index 3b273cdb..15eee493 100644 --- a/man_macro.c +++ b/man_macro.c @@ -1,4 +1,4 @@ -/* $Id: man_macro.c,v 1.88 2014/08/10 23:54:41 schwarze Exp $ */ +/* $Id: man_macro.c,v 1.89 2014/08/18 16:36:54 schwarze Exp $ */ /* * Copyright (c) 2008, 2009, 2010, 2011 Kristaps Dzonsons * Copyright (c) 2012, 2013 Ingo Schwarze @@ -100,7 +100,6 @@ man_unscope(struct man *man, const struct man_node *to) { struct man_node *n; - man->next = MAN_NEXT_SIBLING; to = to->parent; n = man->last; while (n != to) { @@ -139,11 +138,23 @@ man_unscope(struct man *man, const struct man_node *to) * Save a pointer to the parent such that * we know where to continue the iteration. */ + man->last = n; n = n->parent; if ( ! man_valid_post(man)) return(0); } + + /* + * If we ended up at the parent of the node we were + * supposed to rewind to, that means the target node + * got deleted, so add the next node we parse as a child + * of the parent instead of as a sibling of the target. + */ + + man->next = (man->last == to) ? + MAN_NEXT_CHILD : MAN_NEXT_SIBLING; + return(1); } -- cgit v1.2.3-56-ge451