From 544fed0e7dababbce66f416055634cc091e20223 Mon Sep 17 00:00:00 2001
From: Ingo Schwarze <schwarze@openbsd.org>
Date: Sat, 11 Jan 2020 16:26:08 +0000
Subject: Fix a logic error: When both the first and the third column are
 spans, do not use the number of columns of the span starting in column two
 for the span starting in column zero.

With afl, Jan Schreiber <jes at posteo dot de> found cases where
this caused NULL pointer accesses because too many layout cells
were consumed.

While here, make the code more similar at the three places
that iterate over data cells.
---
 tbl_term.c | 27 +++++++++++++--------------
 1 file changed, 13 insertions(+), 14 deletions(-)

(limited to 'tbl_term.c')

diff --git a/tbl_term.c b/tbl_term.c
index de88d61c..b124d2c0 100644
--- a/tbl_term.c
+++ b/tbl_term.c
@@ -1,7 +1,7 @@
-/*	$Id: tbl_term.c,v 1.72 2019/07/01 22:56:24 schwarze Exp $ */
+/*	$Id: tbl_term.c,v 1.73 2020/01/11 16:26:08 schwarze Exp $ */
 /*
  * Copyright (c) 2009, 2011 Kristaps Dzonsons <kristaps@bsd.lv>
- * Copyright (c) 2011-2019 Ingo Schwarze <schwarze@openbsd.org>
+ * Copyright (c) 2011-2020 Ingo Schwarze <schwarze@openbsd.org>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -267,11 +267,11 @@ term_tbl(struct termp *tp, const struct tbl_span *sp)
 				hspans--;
 				continue;
 			}
-			if (dp == NULL)
-				continue;
-			hspans = dp->hspans;
-			if (ic || sp->layout->first->pos != TBL_CELL_SPAN)
+			if (dp != NULL &&
+			    (ic || sp->layout->first->pos != TBL_CELL_SPAN)) {
+				hspans = dp->hspans;
 				dp = dp->next;
+			}
 		}
 
 		/* Set up a column for a right vertical frame. */
@@ -302,11 +302,11 @@ term_tbl(struct termp *tp, const struct tbl_span *sp)
 			tp->tcol++;
 			tp->col = 0;
 			tbl_data(tp, sp->opts, cp, dp, tp->tbl.cols + ic);
-			if (dp == NULL)
-				continue;
-			hspans = dp->hspans;
-			if (cp->pos != TBL_CELL_SPAN)
+			if (dp != NULL &&
+			    (ic || sp->layout->first->pos != TBL_CELL_SPAN)) {
+				hspans = dp->hspans;
 				dp = dp->next;
+			}
 		}
 		break;
 	}
@@ -425,11 +425,10 @@ term_tbl(struct termp *tp, const struct tbl_span *sp)
 					cp = cp->next;
 					continue;
 				}
-				if (dp != NULL) {
+				if (dp != NULL && (ic ||
+				    sp->layout->first->pos != TBL_CELL_SPAN)) {
 					hspans = dp->hspans;
-					if (ic || sp->layout->first->pos
-					    != TBL_CELL_SPAN)
-						dp = dp->next;
+					dp = dp->next;
 				}
 
 				/*
-- 
cgit v1.2.3-56-ge451