From 8330e5fd370ea4633052bdaece49563be0db086b Mon Sep 17 00:00:00 2001
From: Ingo Schwarze <schwarze@openbsd.org>
Date: Fri, 30 Jan 2015 00:29:30 +0000
Subject: Make sure every layout line contains at least one cell; fixing a NULL
 pointer access in term_tbl() that jsg@ found with afl.

---
 tbl_layout.c | 42 +++++++++++++++++++++++++++++++-----------
 1 file changed, 31 insertions(+), 11 deletions(-)

(limited to 'tbl_layout.c')

diff --git a/tbl_layout.c b/tbl_layout.c
index 5a990765..a2b5ef67 100644
--- a/tbl_layout.c
+++ b/tbl_layout.c
@@ -1,4 +1,4 @@
-/*	$Id: tbl_layout.c,v 1.34 2015/01/28 15:03:45 schwarze Exp $ */
+/*	$Id: tbl_layout.c,v 1.35 2015/01/30 00:29:30 schwarze Exp $ */
 /*
  * Copyright (c) 2009, 2010, 2011 Kristaps Dzonsons <kristaps@bsd.lv>
  * Copyright (c) 2012, 2014, 2015 Ingo Schwarze <schwarze@openbsd.org>
@@ -262,11 +262,14 @@ tbl_layout(struct tbl_node *tbl, int ln, const char *p, int pos)
 			 */
 
 			if (tbl->first_row == NULL) {
+				tbl->first_row = tbl->last_row =
+				    mandoc_calloc(1, sizeof(*rp));
+			}
+			if (tbl->first_row->first == NULL) {
 				mandoc_msg(MANDOCERR_TBLLAYOUT_NONE,
 				    tbl->parse, ln, pos, NULL);
-				rp = mandoc_calloc(1, sizeof(*rp));
-				cell_alloc(tbl, rp, TBL_CELL_LEFT);
-				tbl->first_row = tbl->last_row = rp;
+				cell_alloc(tbl, tbl->first_row,
+				    TBL_CELL_LEFT);
 				return;
 			}
 
@@ -282,19 +285,36 @@ tbl_layout(struct tbl_node *tbl, int ln, const char *p, int pos)
 				    rp->last->head == tbl->last_head &&
 				    tbl->opts.rvert < rp->last->vert)
 					tbl->opts.rvert = rp->last->vert;
+
+				/* If the last line is empty, drop it. */
+
+				if (rp->next != NULL &&
+				    rp->next->first == NULL) {
+					free(rp->next);
+					rp->next = NULL;
+				}
 			}
 			return;
 		default:  /* Cell. */
 			break;
 		}
 
-		if (rp == NULL) {  /* First cell on this line. */
-			rp = mandoc_calloc(1, sizeof(*rp));
-			if (tbl->last_row)
-				tbl->last_row->next = rp;
-			else
-				tbl->first_row = rp;
-			tbl->last_row = rp;
+		/*
+		 * If the last line had at least one cell,
+		 * start a new one; otherwise, continue it.
+		 */
+
+		if (rp == NULL) {
+			if (tbl->last_row == NULL ||
+			    tbl->last_row->first != NULL) {
+				rp = mandoc_calloc(1, sizeof(*rp));
+				if (tbl->last_row)
+					tbl->last_row->next = rp;
+				else
+					tbl->first_row = rp;
+				tbl->last_row = rp;
+			} else
+				rp = tbl->last_row;
 		}
 		cell(tbl, rp, ln, p, &pos);
 	}
-- 
cgit v1.2.3-56-ge451