From 012b0a63e80b5d6c24ffc3ddc292861aa4132cc6 Mon Sep 17 00:00:00 2001
From: Ingo Schwarze <schwarze@openbsd.org>
Date: Fri, 30 Jan 2015 17:32:16 +0000
Subject: Delete the redundant tbl span flags, just inspect the actual data
 where needed, which is less fragile. This fixes a subtle NULL pointer access
 to tp->tbl.cols: Due to a bug in the man(7) parser, the first span of a table
 can end up in a .TP head, in which case tblcalc() was never called. Found by
 jsg@ with afl.

---
 tbl_html.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'tbl_html.c')

diff --git a/tbl_html.c b/tbl_html.c
index 9f982ce3..e7940381 100644
--- a/tbl_html.c
+++ b/tbl_html.c
@@ -1,4 +1,4 @@
-/*	$Id: tbl_html.c,v 1.15 2015/01/30 04:11:50 schwarze Exp $ */
+/*	$Id: tbl_html.c,v 1.16 2015/01/30 17:32:16 schwarze Exp $ */
 /*
  * Copyright (c) 2011 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -54,7 +54,7 @@ html_tblopen(struct html *h, const struct tbl_span *sp)
 	struct roffcol	*col;
 	int		 ic;
 
-	if (sp->flags & TBL_SPAN_FIRST) {
+	if (h->tbl.cols == NULL) {
 		h->tbl.len = html_tbl_len;
 		h->tbl.slen = html_tbl_strlen;
 		tblcalc(&h->tbl, sp, 0);
@@ -132,7 +132,7 @@ print_tbl(struct html *h, const struct tbl_span *sp)
 
 	h->flags &= ~HTML_NONOSPACE;
 
-	if (sp->flags & TBL_SPAN_LAST) {
+	if (sp->next == NULL) {
 		assert(h->tbl.cols);
 		free(h->tbl.cols);
 		h->tbl.cols = NULL;
-- 
cgit v1.2.3-56-ge451