From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from localhost (fantadrom.bsd.lv [local]); by fantadrom.bsd.lv (OpenSMTPD) with ESMTPA id 75638a8b; for ; Tue, 21 Apr 2015 11:14:55 -0500 (EST) Date: Tue, 21 Apr 2015 11:14:55 -0500 (EST) Message-Id: <17074907254052984721.enqueue@fantadrom.bsd.lv> X-Mailinglist: mdocml-source Reply-To: source@mdocml.bsd.lv MIME-Version: 1.0 From: schwarze@mdocml.bsd.lv To: source@mdocml.bsd.lv Subject: mdocml: Avoid a use after free when the target node is deleted during X-Mailer: activitymail 1.26, http://search.cpan.org/dist/activitymail/ Content-Type: text/plain; charset=utf-8 Log Message: ----------- Avoid a use after free when the target node is deleted during validation. Bug reported by jsg@. Modified Files: -------------- mdocml: mdoc_macro.c Revision Data ------------- Index: mdoc_macro.c =================================================================== RCS file: /home/cvs/mdocml/mdocml/mdoc_macro.c,v retrieving revision 1.193 retrieving revision 1.194 diff -Lmdoc_macro.c -Lmdoc_macro.c -u -p -r1.193 -r1.194 --- mdoc_macro.c +++ mdoc_macro.c @@ -291,18 +291,21 @@ rew_pending(struct roff_man *mdoc, const for (;;) { rew_last(mdoc, n); - switch (n->type) { - case ROFFT_HEAD: - roff_body_alloc(mdoc, n->line, n->pos, n->tok); - return; - case ROFFT_BLOCK: - break; - default: - return; - } - - if ( ! (n->flags & MDOC_BROKEN)) - return; + if (mdoc->last == n) { + switch (n->type) { + case ROFFT_HEAD: + roff_body_alloc(mdoc, n->line, n->pos, + n->tok); + return; + case ROFFT_BLOCK: + break; + default: + return; + } + if ( ! (n->flags & MDOC_BROKEN)) + return; + } else + n = mdoc->last; for (;;) { if ((n = n->parent) == NULL) -- To unsubscribe send an email to source+unsubscribe@mdocml.bsd.lv