discuss@mandoc.bsd.lv
 help / color / mirror / Atom feed
* Crash when run against groff tbl(1) output
@ 2014-10-14  6:07 Anthony J. Bentley
  2014-10-14 18:24 ` Ingo Schwarze
  0 siblings, 1 reply; 2+ messages in thread
From: Anthony J. Bentley @ 2014-10-14  6:07 UTC (permalink / raw)
  To: discuss

I ran "tbl /usr/share/man/man6/phantasia.6 | mandoc". I don't know what I
expected, but I didn't expect this:

Program received signal SIGSEGV, Segmentation fault.
0x00001c3b46c3d9f6 in term_tbl (tp=0x1c3e10d58a00, sp=0x1c3de3073f40)
    at tbl_term.c:104
104             if ((TBL_OPT_BOX | TBL_OPT_DBOX) & sp->opts->opts ||

Here is a reduced (possibly nonsensical) form of that input that triggers
what I hope is the same crash; backtrace follows.

.TS
.if !'\n(.z'' \!.foo
.de bar
..
\!.baz
.baz x

Program received signal SIGSEGV, Segmentation fault.
0x0000017c40b3d9f6 in term_tbl (tp=0x17f04bbce00, sp=0x17f393ff3c0)
    at tbl_term.c:104
104             if ((TBL_OPT_BOX | TBL_OPT_DBOX) & sp->opts->opts ||
(gdb) bt
#0  0x0000017c40b3d9f6 in term_tbl (tp=0x17f04bbce00, sp=0x17f393ff3c0)
    at tbl_term.c:104
#1  0x0000017c40b2fcb9 in print_man_nodelist (p=0x17f04bbce00, 
    mt=0x7f7fffff5720, n=0x17e8a771c00, meta=0x17e8a771d28) at man_term.c:1052
#2  0x0000017c40b2fe9a in terminal_man (arg=0x17f04bbce00, man=Variable "man" is not available.
)
    at man_term.c:183
#3  0x0000017c40b284e6 in parse (curp=0x7f7fffff5a40, fd=Variable "fd" is not available.
) at main.c:544
#4  0x0000017c40b2912c in main (argc=1, argv=0x7f7fffff6438) at main.c:377

--
 To unsubscribe send an email to discuss+unsubscribe@mdocml.bsd.lv

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: Crash when run against groff tbl(1) output
  2014-10-14  6:07 Crash when run against groff tbl(1) output Anthony J. Bentley
@ 2014-10-14 18:24 ` Ingo Schwarze
  0 siblings, 0 replies; 2+ messages in thread
From: Ingo Schwarze @ 2014-10-14 18:24 UTC (permalink / raw)
  To: Anthony J. Bentley; +Cc: discuss

Hi Anthony,

Anthony J. Bentley wrote on Tue, Oct 14, 2014 at 12:07:19AM -0600:

> Here is a reduced (possibly nonsensical) form of that input that
> triggers what I hope is the same crash; backtrace follows.
> 
> .TS
> .if !'\n(.z'' \!.foo
> .de bar
> ..
> \!.baz
> .baz x

Here is a minimal example:

  .TS
  |.
  \&

That makes it quite obvious what the problem is, doesn't it?  ;-)

Committed fix below.

Thanks for reporting,
  Ingo


Log Message:
-----------
even if a table has zero columns, do not segfault in the formatter;
bug reported by bentley@

Modified Files:
--------------
    mdocml:
        out.c
        tbl_term.c

Revision Data
-------------
Index: out.c
===================================================================
RCS file: /usr/vhosts/mdocml.bsd.lv/cvs/mdocml/out.c,v
retrieving revision 1.52
retrieving revision 1.53
diff -Lout.c -Lout.c -u -p -r1.52 -r1.53
--- out.c
+++ out.c
@@ -158,7 +158,7 @@ tblcalc(struct rofftbl *tbl, const struc
 	tbl->cols = mandoc_calloc((size_t)sp->opts->cols,
 	    sizeof(struct roffcol));
 
-	for (maxcol = 0; sp; sp = sp->next) {
+	for (maxcol = -1; sp; sp = sp->next) {
 		if (TBL_SPAN_DATA != sp->pos)
 			continue;
 		spans = 1;
Index: tbl_term.c
===================================================================
RCS file: /usr/vhosts/mdocml.bsd.lv/cvs/mdocml/tbl_term.c,v
retrieving revision 1.30
retrieving revision 1.31
diff -Ltbl_term.c -Ltbl_term.c -u -p -r1.30 -r1.31
--- tbl_term.c
+++ tbl_term.c
@@ -107,7 +107,7 @@ term_tbl(struct termp *tp, const struct 
 	/* Vertical frame at the start of each row. */
 
 	if ((TBL_OPT_BOX | TBL_OPT_DBOX) & sp->opts->opts ||
-	    sp->head->vert)
+	    (sp->head != NULL && sp->head->vert))
 		term_word(tp, TBL_SPAN_HORIZ == sp->pos ||
 		    TBL_SPAN_DHORIZ == sp->pos ? "+" : "|");
 
--
 To unsubscribe send an email to discuss+unsubscribe@mdocml.bsd.lv

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2014-10-14 18:24 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-10-14  6:07 Crash when run against groff tbl(1) output Anthony J. Bentley
2014-10-14 18:24 ` Ingo Schwarze

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).