From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from localhost (fantadrom.bsd.lv [local]); by fantadrom.bsd.lv (OpenSMTPD) with ESMTPA id 5ddf243b; for ; Fri, 1 May 2015 11:59:04 -0500 (EST) Date: Fri, 1 May 2015 11:59:04 -0500 (EST) Message-Id: <10026675321688728196.enqueue@fantadrom.bsd.lv> X-Mailinglist: mdocml-source Reply-To: source@mdocml.bsd.lv MIME-Version: 1.0 From: schwarze@mdocml.bsd.lv To: source@mdocml.bsd.lv Subject: mdocml: mdoc_valid_post() may indirectly call roff_node_unlink() which X-Mailer: activitymail 1.26, http://search.cpan.org/dist/activitymail/ Content-Type: text/plain; charset=utf-8 Log Message: ----------- mdoc_valid_post() may indirectly call roff_node_unlink() which may set ROFF_NEXT_CHILD, which is desirable for the final call to mdoc_valid_post() - in case the target itself gets deleted, the parse point may need this adjustment - but not for the intermediate calls - if intermediate nodes get deleted, that mustn't clobber the parse point. So move setting ROFF_NEXT_SIBLING to the proper place in rew_last(). This fixes the assertion failure in jsg@'s afl test case 108/Apr27. Modified Files: -------------- mdocml: mdoc_macro.c Revision Data ------------- Index: mdoc_macro.c =================================================================== RCS file: /home/cvs/mdocml/mdocml/mdoc_macro.c,v retrieving revision 1.199 retrieving revision 1.200 diff -Lmdoc_macro.c -Lmdoc_macro.c -u -p -r1.199 -r1.200 --- mdoc_macro.c +++ mdoc_macro.c @@ -263,7 +263,6 @@ rew_last(struct roff_man *mdoc, const st if (to->flags & MDOC_VALID) return; - mdoc->next = ROFF_NEXT_SIBLING; while (mdoc->last != to) { /* * Save the parent here, because we may delete the @@ -276,6 +275,7 @@ rew_last(struct roff_man *mdoc, const st mdoc->last = np; assert(mdoc->last); } + mdoc->next = ROFF_NEXT_SIBLING; mdoc_valid_post(mdoc); } -- To unsubscribe send an email to source+unsubscribe@mdocml.bsd.lv