From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from localhost (fantadrom.bsd.lv [local]);
	by fantadrom.bsd.lv (OpenSMTPD) with ESMTPA id e8e25406;
	for <source@mdocml.bsd.lv>;
	Wed, 29 Apr 2015 07:45:28 -0500 (EST)
Date: Wed, 29 Apr 2015 07:45:28 -0500 (EST)
Message-Id: <14914681178375875872.enqueue@fantadrom.bsd.lv>
X-Mailinglist: mdocml-source
Reply-To: source@mdocml.bsd.lv
MIME-Version: 1.0
From: schwarze@mdocml.bsd.lv
To: source@mdocml.bsd.lv
Subject: mdocml: When the last line of a table layout turns out to be empty, it 
X-Mailer: activitymail 1.26, http://search.cpan.org/dist/activitymail/
Content-Type: text/plain; charset=utf-8

Log Message:
-----------
When the last line of a table layout turns out to be empty, it is deleted.
Do not just free the struct tbl_row but also make sure that no pointer
to it remains.  Fixing a use after free found by jsg@ with afl.

Modified Files:
--------------
    mdocml:
        tbl_layout.c

Revision Data
-------------
Index: tbl_layout.c
===================================================================
RCS file: /home/cvs/mdocml/mdocml/tbl_layout.c,v
retrieving revision 1.38
retrieving revision 1.39
diff -Ltbl_layout.c -Ltbl_layout.c -u -p -r1.38 -r1.39
--- tbl_layout.c
+++ tbl_layout.c
@@ -308,6 +308,7 @@ tbl_layout(struct tbl_node *tbl, int ln,
 				    rp->next->first == NULL) {
 					free(rp->next);
 					rp->next = NULL;
+					tbl->last_row = rp;
 				}
 			}
 			return;
--
 To unsubscribe send an email to source+unsubscribe@mdocml.bsd.lv