Hi Anthony,
Anthony J. Bentley wrote on Tue, Feb 12, 2019 at 11:01:14PM -0700:
> This simplified example from syncthing-bep(7) causes a crash:
>
> .TS
> center;
> |l|l|.
> _
> T{
> A
> T} T{
> B
> T}
> _
> T{
> D
> T} T{
> T}
> _
> .TE
>
> Program received signal SIGSEGV, Segmentation fault.
> strcmp () at /usr/src/lib/libc/arch/amd64/string/strcmp.S:59
> 59 movb (%rdi),%al
> (gdb) bt
> #0 strcmp () at /usr/src/lib/libc/arch/amd64/string/strcmp.S:59
> #1 0x00000e4f8ac99b7f in tbl_hrule (tp=0xe524e0aae00, spp=0xe51b8c5cd80,
> spn=0xe524a503080, flags=0) at tbl_term.c:671
> #2 0x00000e4f8ac98e8c in term_tbl (tp=0xe524e0aae00, sp=<optimized out>)
> at tbl_term.c:343
> #3 0x00000e4f8ac959c1 in print_man_nodelist (n=0xe519e437000,
> p=<optimized out>, mt=<optimized out>, meta=<optimized out>)
> at man_term.c:989
> #4 terminal_man (arg=0xe524e0aae00, man=0xe521a68a600) at man_term.c:182
> #5 0x00000e4f8ac88f61 in parse (curp=<optimized out>, fd=<optimized out>,
> file=<optimized out>) at main.c:855
> #6 0x00000e4f8ac882c2 in main (argc=0, argv=0x7f7ffffda3b0) at main.c:471
Fixed with the commit below, thanks for reporting!
Ingo
Log Message:
-----------
fix a NULL pointer access on empty tbl(7) data cells
that bentley@ found in syncthing-bep(7)
Modified Files:
--------------
mandoc:
tbl_term.c
Revision Data
-------------
Index: tbl_term.c
===================================================================
RCS file: /home/cvs/mandoc/mandoc/tbl_term.c,v
retrieving revision 1.69
retrieving revision 1.70
diff -Ltbl_term.c -Ltbl_term.c -u -p -r1.69 -r1.70
--- tbl_term.c
+++ tbl_term.c
@@ -629,7 +629,8 @@ tbl_hrule(struct termp *tp, const struct
lw = cpp == NULL || cpn == NULL ||
(cpn->pos != TBL_CELL_DOWN &&
- (dpn == NULL || strcmp(dpn->string, "\\^") != 0))
+ (dpn == NULL || dpn->string == NULL ||
+ strcmp(dpn->string, "\\^") != 0))
? hw : 0;
tbl_direct_border(tp, BHORIZ * lw,
col->width + col->spacing / 2);
@@ -675,7 +676,8 @@ tbl_hrule(struct termp *tp, const struct
rw = cpp == NULL || cpn == NULL ||
(cpn->pos != TBL_CELL_DOWN &&
- (dpn == NULL || strcmp(dpn->string, "\\^") != 0))
+ (dpn == NULL || dpn->string == NULL ||
+ strcmp(dpn->string, "\\^") != 0))
? hw : 0;
/* The line crossing at the end of this column. */
--
To unsubscribe send an email to tech+unsubscribe@mandoc.bsd.lv