From d6b66b3e9ad8c458645ddd84f1cf7e304b486115 Mon Sep 17 00:00:00 2001 From: Ingo Schwarze Date: Sat, 13 Aug 2016 09:14:57 +0000 Subject: Even after switching from a pending head to the body, we have to continue scanning upwards, because the enclosing block might already be pending as well, e.g. .Bl .Bl .It Bo .El .It. Tree corruption leading to a later NULL deref found by tb@ with afl(1). --- usr.bin/mandoc/mdoc_macro.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'usr.bin') diff --git a/usr.bin/mandoc/mdoc_macro.c b/usr.bin/mandoc/mdoc_macro.c index 2d76e1e7369..7bc6b7057b4 100644 --- a/usr.bin/mandoc/mdoc_macro.c +++ b/usr.bin/mandoc/mdoc_macro.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mdoc_macro.c,v 1.162 2015/10/20 02:00:49 schwarze Exp $ */ +/* $OpenBSD: mdoc_macro.c,v 1.163 2016/08/13 09:14:56 schwarze Exp $ */ /* * Copyright (c) 2008-2012 Kristaps Dzonsons * Copyright (c) 2010, 2012-2015 Ingo Schwarze @@ -290,7 +290,7 @@ rew_pending(struct roff_man *mdoc, const struct roff_node *n) case ROFFT_HEAD: roff_body_alloc(mdoc, n->line, n->pos, n->tok); - return; + break; case ROFFT_BLOCK: break; default: -- cgit v1.2.3