Crash with empty table cell

Crash with empty table cell

[Anthony J. Bentley]

Hi,

This simplified example from syncthing-bep(7) causes a crash:

.TS
center;
|l|l|.
_
T{
A
T}	T{
B
T}
_
T{
D
T}	T{
T}
_
.TE

Program received signal SIGSEGV, Segmentation fault.
strcmp () at /usr/src/lib/libc/arch/amd64/string/strcmp.S:59
59              movb    (%rdi),%al
(gdb) bt
#0  strcmp () at /usr/src/lib/libc/arch/amd64/string/strcmp.S:59
#1  0x00000e4f8ac99b7f in tbl_hrule (tp=0xe524e0aae00, spp=0xe51b8c5cd80, 
    spn=0xe524a503080, flags=0) at tbl_term.c:671
#2  0x00000e4f8ac98e8c in term_tbl (tp=0xe524e0aae00, sp=<optimized out>)
    at tbl_term.c:343
#3  0x00000e4f8ac959c1 in print_man_nodelist (n=0xe519e437000, 
    p=<optimized out>, mt=<optimized out>, meta=<optimized out>)
    at man_term.c:989
#4  terminal_man (arg=0xe524e0aae00, man=0xe521a68a600) at man_term.c:182
#5  0x00000e4f8ac88f61 in parse (curp=<optimized out>, fd=<optimized out>, 
    file=<optimized out>) at main.c:855
#6  0x00000e4f8ac882c2 in main (argc=0, argv=0x7f7ffffda3b0) at main.c:471

-- 
Anthony J. Bentley
--
 To unsubscribe send an email to tech+unsubscribe@mandoc.bsd.lv

Re: Crash with empty table cell

[Ingo Schwarze]

Hi Anthony,

Anthony J. Bentley wrote on Tue, Feb 12, 2019 at 11:01:14PM -0700:

> This simplified example from syncthing-bep(7) causes a crash:
> 
> .TS
> center;
> |l|l|.
> _
> T{
> A
> T}	T{
> B
> T}
> _
> T{
> D
> T}	T{
> T}
> _
> .TE
> 
> Program received signal SIGSEGV, Segmentation fault.
> strcmp () at /usr/src/lib/libc/arch/amd64/string/strcmp.S:59
> 59              movb    (%rdi),%al
> (gdb) bt
> #0  strcmp () at /usr/src/lib/libc/arch/amd64/string/strcmp.S:59
> #1  0x00000e4f8ac99b7f in tbl_hrule (tp=0xe524e0aae00, spp=0xe51b8c5cd80, 
>     spn=0xe524a503080, flags=0) at tbl_term.c:671
> #2  0x00000e4f8ac98e8c in term_tbl (tp=0xe524e0aae00, sp=<optimized out>)
>     at tbl_term.c:343
> #3  0x00000e4f8ac959c1 in print_man_nodelist (n=0xe519e437000, 
>     p=<optimized out>, mt=<optimized out>, meta=<optimized out>)
>     at man_term.c:989
> #4  terminal_man (arg=0xe524e0aae00, man=0xe521a68a600) at man_term.c:182
> #5  0x00000e4f8ac88f61 in parse (curp=<optimized out>, fd=<optimized out>, 
>     file=<optimized out>) at main.c:855
> #6  0x00000e4f8ac882c2 in main (argc=0, argv=0x7f7ffffda3b0) at main.c:471

Fixed with the commit below, thanks for reporting!
  Ingo


Log Message:
-----------
fix a NULL pointer access on empty tbl(7) data cells
that bentley@ found in syncthing-bep(7)

Modified Files:
--------------
    mandoc:
        tbl_term.c

Revision Data
-------------
Index: tbl_term.c
===================================================================
RCS file: /home/cvs/mandoc/mandoc/tbl_term.c,v
retrieving revision 1.69
retrieving revision 1.70
diff -Ltbl_term.c -Ltbl_term.c -u -p -r1.69 -r1.70
--- tbl_term.c
+++ tbl_term.c
@@ -629,7 +629,8 @@ tbl_hrule(struct termp *tp, const struct
 
 		lw = cpp == NULL || cpn == NULL ||
 		    (cpn->pos != TBL_CELL_DOWN &&
-		     (dpn == NULL || strcmp(dpn->string, "\\^") != 0))
+		     (dpn == NULL || dpn->string == NULL ||
+		      strcmp(dpn->string, "\\^") != 0))
 		    ? hw : 0;
 		tbl_direct_border(tp, BHORIZ * lw,
 		    col->width + col->spacing / 2);
@@ -675,7 +676,8 @@ tbl_hrule(struct termp *tp, const struct
 
 		rw = cpp == NULL || cpn == NULL ||
 		    (cpn->pos != TBL_CELL_DOWN &&
-		     (dpn == NULL || strcmp(dpn->string, "\\^") != 0))
+		     (dpn == NULL || dpn->string == NULL ||
+		      strcmp(dpn->string, "\\^") != 0))
 		    ? hw : 0;
 
 		/* The line crossing at the end of this column. */
--
 To unsubscribe send an email to tech+unsubscribe@mandoc.bsd.lv