From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mailout.scc.kit.edu (mailout.scc.kit.edu [129.13.185.202]) by krisdoz.my.domain (8.14.5/8.14.5) with ESMTP id s7H4GngU007948 for ; Sun, 17 Aug 2014 00:16:49 -0400 (EDT) Received: from hekate.usta.de (asta-nat.asta.uni-karlsruhe.de [172.22.63.82]) by scc-mailout-02.scc.kit.edu with esmtp (Exim 4.72 #1) id 1XIrtg-0007gw-Nj; Sun, 17 Aug 2014 06:16:48 +0200 Received: from donnerwolke.usta.de ([172.24.96.3]) by hekate.usta.de with esmtp (Exim 4.77) (envelope-from ) id 1XIrte-00021E-S7; Sun, 17 Aug 2014 06:16:46 +0200 Received: from iris.usta.de ([172.24.96.5] helo=usta.de) by donnerwolke.usta.de with esmtp (Exim 4.72) (envelope-from ) id 1XIrte-0008HY-Kh; Sun, 17 Aug 2014 06:16:46 +0200 Received: from schwarze by usta.de with local (Exim 4.77) (envelope-from ) id 1XIrsu-0002jd-85; Sun, 17 Aug 2014 06:16:00 +0200 Date: Sun, 17 Aug 2014 06:16:00 +0200 From: Ingo Schwarze To: Kristaps Dzonsons Cc: tech@mdocml.bsd.lv Subject: Re: Crash in mandoc HEAD Message-ID: <20140817041600.GI12335@iris.usta.de> References: <53EE10ED.5090400@bsd.lv> X-Mailinglist: mdocml-tech Reply-To: tech@mdocml.bsd.lv MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <53EE10ED.5090400@bsd.lv> User-Agent: Mutt/1.5.21 (2010-09-15) Hi Kristaps, Kristaps Dzonsons wrote on Fri, Aug 15, 2014 at 03:53:49PM +0200: > I managed to crash mandoc(1) today while formatting a manual. > Narrowed down: > > 1 .Dd $Mdocdate$ > 2 .Dt FOO 1 > 3 .Os > 4 .Sh NAME > 5 .Nm foo > 6 .Nd bar > 7 .Sh DESCRIPTION > 8 The > 9 .Bl -hang > 10 .It Nm Fo o > 11 xyzzy > 12 .El > > In short, the "Fo" is continuing a node subtree perpetually and the > HEAD for the "It" on line 10 just keeps going. There's a check for > "n->next->child" which thus crashes because "n->next" is NULL. > > The fix is very simple and enclosed. That's nearly right, but insufficient, the same pointer is accessed a second time a few lines below, so it still crashes. Please commit ASAP in the following form, I'll take care of the merging. Thanks, Ingo Index: mdoc_term.c =================================================================== RCS file: /cvs/src/usr.bin/mandoc/mdoc_term.c,v retrieving revision 1.177 diff -u -p -r1.177 mdoc_term.c --- mdoc_term.c 8 Aug 2014 16:17:09 -0000 1.177 +++ mdoc_term.c 17 Aug 2014 04:08:09 -0000 @@ -804,7 +804,7 @@ termp_it_pre(DECL_ARGS) * the "overstep" effect in term_flushln() and treat * this as a `-ohang' list instead. */ - if (n->next->child && + if (NULL != n->next && NULL != n->next->child && (MDOC_Bl == n->next->child->tok || MDOC_Bd == n->next->child->tok)) break; @@ -860,7 +860,8 @@ termp_it_pre(DECL_ARGS) * don't want to recalculate rmargin and offsets when * using `Bd' or `Bl' within `-hang' overstep lists. */ - if (MDOC_HEAD == n->type && n->next->child && + if (MDOC_HEAD == n->type && + NULL != n->next && NULL != n->next->child && (MDOC_Bl == n->next->child->tok || MDOC_Bd == n->next->child->tok)) break; -- To unsubscribe send an email to tech+unsubscribe@mdocml.bsd.lv