Here's an interesting bug I found in the wild. First, some backstory. The aerc[1] email client uses scdoc[2] to generate its manpages (same author). Scdoc files are kinda like markdown, but they have a funky way of setting out tables (see the TABLES section of scdoc(5)[3]). So, the aerc-config document has a long table for command keys, and in the middle of it the author forgot to set the alignment for a cell. I'm attaching the formatted document, but I can trigger the same bug with this (bug.5): .TS allbox; l c l l l. Foo Bar FooBar Foo Bar .TE This occurs on Arch Linux and OpenBSD 6.5, with the latest changes from CVS. This is the output from GDB: #0 0x000055632eb7ff52 in tbl_hrule (tp=0x55632edc6d00, spp=0x55632edc31a0, sp=0x55632edc31a0, spn=0x55632edc3310, flags=1) at tbl_term.c:626 626 col = tp->tbl.cols + cp->col; (gdb) p tp->tbl.cols $2 = (struct roffcol *) 0x55632edcb890 (gdb) p cp->col Cannot access memory at address 0x24 I've tested this with groff and Plan 9 troff/tbl and they handle this fine. [1] https://git.sr.ht/~sircmpwn/aerc2 [2] https://git.sr.ht/~sircmpwn/scdoc [3] https://git.sr.ht/~sircmpwn/scdoc/blob/master/scdoc.5.scd [4] https://git.sr.ht/~sircmpwn/aerc/blob/master/doc/aerc-config.5.scd -- Stephen Gregoratto PGP: 3FC6 3D0E 2801 C348 1C44 2D34 A80C 0F8E 8BAB EC8B