* Crash in mandoc HEAD
@ 2014-08-15 13:53 Kristaps Dzonsons
2014-08-17 4:16 ` Ingo Schwarze
0 siblings, 1 reply; 2+ messages in thread
From: Kristaps Dzonsons @ 2014-08-15 13:53 UTC (permalink / raw)
To: tech
[-- Attachment #1: Type: text/plain, Size: 555 bytes --]
Hi folks,
I managed to crash mandoc(1) today while formatting a manual. Narrowed
down:
1 .Dd $Mdocdate$
2 .Dt FOO 1
3 .Os
4 .Sh NAME
5 .Nm foo
6 .Nd bar
7 .Sh DESCRIPTION
8 The
9 .Bl -hang
10 .It Nm Fo o
11 xyzzy
12 .El
In short, the "Fo" is continuing a node subtree perpetually and the HEAD
for the "It" on line 10 just keeps going. There's a check for
"n->next->child" which thus crashes because "n->next" is NULL.
The fix is very simple and enclosed.
Ok?
Best,
Kristaps
[-- Attachment #2: itcrash.diff --]
[-- Type: text/plain, Size: 614 bytes --]
Index: mdoc_term.c
===================================================================
RCS file: /usr/vhosts/mdocml.bsd.lv/cvs/mdocml/mdoc_term.c,v
retrieving revision 1.276
diff -u -p -r1.276 mdoc_term.c
--- mdoc_term.c 10 Aug 2014 23:54:41 -0000 1.276
+++ mdoc_term.c 15 Aug 2014 13:53:07 -0000
@@ -806,7 +806,7 @@ termp_it_pre(DECL_ARGS)
* the "overstep" effect in term_flushln() and treat
* this as a `-ohang' list instead.
*/
- if (n->next->child &&
+ if (NULL != n->next && NULL != n->next->child &&
(MDOC_Bl == n->next->child->tok ||
MDOC_Bd == n->next->child->tok))
break;
^ permalink raw reply [flat|nested] 2+ messages in thread* Re: Crash in mandoc HEAD
2014-08-15 13:53 Crash in mandoc HEAD Kristaps Dzonsons
@ 2014-08-17 4:16 ` Ingo Schwarze
0 siblings, 0 replies; 2+ messages in thread
From: Ingo Schwarze @ 2014-08-17 4:16 UTC (permalink / raw)
To: Kristaps Dzonsons; +Cc: tech
Hi Kristaps,
Kristaps Dzonsons wrote on Fri, Aug 15, 2014 at 03:53:49PM +0200:
> I managed to crash mandoc(1) today while formatting a manual.
> Narrowed down:
>
> 1 .Dd $Mdocdate$
> 2 .Dt FOO 1
> 3 .Os
> 4 .Sh NAME
> 5 .Nm foo
> 6 .Nd bar
> 7 .Sh DESCRIPTION
> 8 The
> 9 .Bl -hang
> 10 .It Nm Fo o
> 11 xyzzy
> 12 .El
>
> In short, the "Fo" is continuing a node subtree perpetually and the
> HEAD for the "It" on line 10 just keeps going. There's a check for
> "n->next->child" which thus crashes because "n->next" is NULL.
>
> The fix is very simple and enclosed.
That's nearly right, but insufficient, the same pointer is
accessed a second time a few lines below, so it still crashes.
Please commit ASAP in the following form, I'll take care of the
merging.
Thanks,
Ingo
Index: mdoc_term.c
===================================================================
RCS file: /cvs/src/usr.bin/mandoc/mdoc_term.c,v
retrieving revision 1.177
diff -u -p -r1.177 mdoc_term.c
--- mdoc_term.c 8 Aug 2014 16:17:09 -0000 1.177
+++ mdoc_term.c 17 Aug 2014 04:08:09 -0000
@@ -804,7 +804,7 @@ termp_it_pre(DECL_ARGS)
* the "overstep" effect in term_flushln() and treat
* this as a `-ohang' list instead.
*/
- if (n->next->child &&
+ if (NULL != n->next && NULL != n->next->child &&
(MDOC_Bl == n->next->child->tok ||
MDOC_Bd == n->next->child->tok))
break;
@@ -860,7 +860,8 @@ termp_it_pre(DECL_ARGS)
* don't want to recalculate rmargin and offsets when
* using `Bd' or `Bl' within `-hang' overstep lists.
*/
- if (MDOC_HEAD == n->type && n->next->child &&
+ if (MDOC_HEAD == n->type &&
+ NULL != n->next && NULL != n->next->child &&
(MDOC_Bl == n->next->child->tok ||
MDOC_Bd == n->next->child->tok))
break;
--
To unsubscribe send an email to tech+unsubscribe@mdocml.bsd.lv
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2014-08-17 4:16 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-08-15 13:53 Crash in mandoc HEAD Kristaps Dzonsons
2014-08-17 4:16 ` Ingo Schwarze
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).