mdoc_valid_post() may indirectly call roff_node_unlink() which may

set ROFF_NEXT_CHILD, which is desirable for the final call to
mdoc_valid_post() - in case the target itself gets deleted, the
parse point may need this adjustment - but not for the intermediate
calls - if intermediate nodes get deleted, that mustn't clobber the
parse point.  So move setting ROFF_NEXT_SIBLING to the proper place
in rew_last().

This fixes the assertion failure in jsg@'s afl test case 108/Apr27.

1 files changed, 2 insertions, 2 deletions

diff --git a/usr.bin/mandoc/mdoc_macro.c b/usr.bin/mandoc/mdoc_macro.c
index eb1630ac148..36a1373095f 100644
--- a/usr.bin/mandoc/mdoc_macro.c
+++ b/usr.bin/mandoc/mdoc_macro.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: mdoc_macro.c,v 1.155 2015/05/01 16:01:53 schwarze Exp $ */
+/*	$OpenBSD: mdoc_macro.c,v 1.156 2015/05/01 16:56:36 schwarze Exp $ */
 /*
  * Copyright (c) 2008-2012 Kristaps Dzonsons <kristaps@bsd.lv>
  * Copyright (c) 2010, 2012-2015 Ingo Schwarze <schwarze@openbsd.org>
@@ -261,7 +261,6 @@ rew_last(struct roff_man *mdoc, const struct roff_node *to)
 	if (to->flags & MDOC_VALID)
 		return;
 
-	mdoc->next = ROFF_NEXT_SIBLING;
 	while (mdoc->last != to) {
 		/*
 		 * Save the parent here, because we may delete the
@@ -274,6 +273,7 @@ rew_last(struct roff_man *mdoc, const struct roff_node *to)
 		mdoc->last = np;
 		assert(mdoc->last);
 	}
+	mdoc->next = ROFF_NEXT_SIBLING;
 	mdoc_valid_post(mdoc);
 }