* mdocml: Avoid a use after free when the target node is deleted during
@ 2015-04-21 16:14 schwarze
0 siblings, 0 replies; only message in thread
From: schwarze @ 2015-04-21 16:14 UTC (permalink / raw)
To: source
Log Message:
-----------
Avoid a use after free when the target node is deleted during validation.
Bug reported by jsg@.
Modified Files:
--------------
mdocml:
mdoc_macro.c
Revision Data
-------------
Index: mdoc_macro.c
===================================================================
RCS file: /home/cvs/mdocml/mdocml/mdoc_macro.c,v
retrieving revision 1.193
retrieving revision 1.194
diff -Lmdoc_macro.c -Lmdoc_macro.c -u -p -r1.193 -r1.194
--- mdoc_macro.c
+++ mdoc_macro.c
@@ -291,18 +291,21 @@ rew_pending(struct roff_man *mdoc, const
for (;;) {
rew_last(mdoc, n);
- switch (n->type) {
- case ROFFT_HEAD:
- roff_body_alloc(mdoc, n->line, n->pos, n->tok);
- return;
- case ROFFT_BLOCK:
- break;
- default:
- return;
- }
-
- if ( ! (n->flags & MDOC_BROKEN))
- return;
+ if (mdoc->last == n) {
+ switch (n->type) {
+ case ROFFT_HEAD:
+ roff_body_alloc(mdoc, n->line, n->pos,
+ n->tok);
+ return;
+ case ROFFT_BLOCK:
+ break;
+ default:
+ return;
+ }
+ if ( ! (n->flags & MDOC_BROKEN))
+ return;
+ } else
+ n = mdoc->last;
for (;;) {
if ((n = n->parent) == NULL)
--
To unsubscribe send an email to source+unsubscribe@mdocml.bsd.lv
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2015-04-21 16:14 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-04-21 16:14 mdocml: Avoid a use after free when the target node is deleted during schwarze
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).