* mdocml: In the SYNOPSIS, .Nm blocks can get broken if one of their
@ 2017-02-10 16:21 schwarze
0 siblings, 0 replies; only message in thread
From: schwarze @ 2017-02-10 16:21 UTC (permalink / raw)
To: source
Log Message:
-----------
In the SYNOPSIS, .Nm blocks can get broken if one of their children
gets broken. In that case, mark them as BROKEN and ENDED and make
sure they get closed out together with the child.
Fixes tree corruption leeding to a NULL dereference found by tb@
with afl(1) in: .Sh SYNOPSIS .Bl .Oo .Nm .Bk .Oc .It (where .Bk is
the child and .Oo is the breaker).
A simpler form of the same corruption (without crash) is visible in:
.Sh SYNOPSIS .Ao .Nm .Bo .Ac .Bc text
where the text ended up inside the .Nm (child .Bo, breaker .Ao).
Modified Files:
--------------
mdocml:
mdoc_macro.c
NEWS
Revision Data
-------------
Index: mdoc_macro.c
===================================================================
RCS file: /home/cvs/mdocml/mdocml/mdoc_macro.c,v
retrieving revision 1.210
retrieving revision 1.211
diff -Lmdoc_macro.c -Lmdoc_macro.c -u -p -r1.210 -r1.211
--- mdoc_macro.c
+++ mdoc_macro.c
@@ -575,16 +575,24 @@ blk_exp_close(MACRO_PROT_ARGS)
}
/*
- * Mismatching end macros can never break anything,
- * SYNOPSIS name blocks can never be broken,
+ * Mismatching end macros can never break anything
* and we only care about the breaking of BLOCKs.
*/
- if (body == NULL ||
- n->tok == MDOC_Nm ||
- n->type != ROFFT_BLOCK)
+ if (body == NULL || n->type != ROFFT_BLOCK)
continue;
+ /*
+ * SYNOPSIS name blocks can not be broken themselves,
+ * but they do get broken together with a broken child.
+ */
+
+ if (n->tok == MDOC_Nm) {
+ if (later != NULL)
+ n->flags |= NODE_BROKEN | NODE_ENDED;
+ continue;
+ }
+
if (n->tok == MDOC_It) {
itblk = n;
continue;
@@ -987,7 +995,7 @@ blk_full(MACRO_PROT_ARGS)
/* Close out prior implicit scopes. */
- rew_last(mdoc, n);
+ rew_pending(mdoc, n);
}
/* Skip items outside lists. */
Index: NEWS
===================================================================
RCS file: /home/cvs/mdocml/mdocml/NEWS,v
retrieving revision 1.15
retrieving revision 1.16
diff -LNEWS -LNEWS -u -p -r1.15 -r1.16
--- NEWS
+++ NEWS
@@ -52,6 +52,8 @@ Changes in version 1.14.1, released on F
for macro sequences like .Bl .Bl .It Bo .El .It.
* mdoc(7): Fix syntax tree corruption leading to NULL dereference
caused by .Ta following a nested .Bl -column breaking another block.
+ * mdoc(7): Fix syntax tree corruption sometimes leading to NULL
+ dereference caused by indirectly broken .Nm blocks in the SYNOPSIS.
* mdoc(7) -Thtml: Fix a NULL dereference for .Bl -column with 0 columns.
* mdoc(7): Fix NULL dereference if the only child of the head
of the first .Sh was an empty in-line macro.
--
To unsubscribe send an email to source+unsubscribe@mdocml.bsd.lv
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2017-02-10 16:21 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-02-10 16:21 mdocml: In the SYNOPSIS, .Nm blocks can get broken if one of their schwarze
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).