* mdocml: Even after switching from a pending head to the body, we have to
@ 2016-08-11 13:30 schwarze
0 siblings, 0 replies; only message in thread
From: schwarze @ 2016-08-11 13:30 UTC (permalink / raw)
To: source
Log Message:
-----------
Even after switching from a pending head to the body, we have to
continue scanning upwards, because the enclosing block might already
be pending as well, e.g. .Bl .Bl .It Bo .El .It.
Tree corruption leading to a later NULL deref found by tb@ with afl(1).
Modified Files:
--------------
mdocml:
mdoc_macro.c
Revision Data
-------------
Index: mdoc_macro.c
===================================================================
RCS file: /home/cvs/mdocml/mdocml/mdoc_macro.c,v
retrieving revision 1.206
retrieving revision 1.207
diff -Lmdoc_macro.c -Lmdoc_macro.c -u -p -r1.206 -r1.207
--- mdoc_macro.c
+++ mdoc_macro.c
@@ -292,7 +292,7 @@ rew_pending(struct roff_man *mdoc, const
case ROFFT_HEAD:
roff_body_alloc(mdoc, n->line, n->pos,
n->tok);
- return;
+ break;
case ROFFT_BLOCK:
break;
default:
--
To unsubscribe send an email to source+unsubscribe@mdocml.bsd.lv
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2016-08-11 13:30 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-08-11 13:30 mdocml: Even after switching from a pending head to the body, we have to schwarze
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).