Do not prematurely close .Nd containing a broken child.

Fixes tree corruption leading to NULL dereference in insane cases like .Oo Oo .Nd .Pq Oc .Oc Oc found by tb@ with afl(1).
author: schwarze <schwarze@openbsd.org> 2017-02-11 14:08:35 +0000
committer: schwarze <schwarze@openbsd.org> 2017-02-11 14:08:35 +0000
commit: 449f27a4b0bcf3c3a607e67026912a6af6ae9121 (patch)
tree: 6c3d755b9aa3664b8f7be62cb1a25b9617861874
parent: sync (diff)
download: wireguard-openbsd-449f27a4b0bcf3c3a607e67026912a6af6ae9121.tar.xz
wireguard-openbsd-449f27a4b0bcf3c3a607e67026912a6af6ae9121.zip
1 files changed, 9 insertions, 3 deletions
diff --git a/usr.bin/mandoc/mdoc_macro.c b/usr.bin/mandoc/mdoc_macro.c
index d4025e4bcc2..85457cff887 100644
--- a/usr.bin/mandoc/mdoc_macro.c
+++ b/usr.bin/mandoc/mdoc_macro.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: mdoc_macro.c,v 1.170 2017/02/11 13:23:11 schwarze Exp $ */
+/*	$OpenBSD: mdoc_macro.c,v 1.171 2017/02/11 14:08:35 schwarze Exp $ */
 /*
  * Copyright (c) 2008-2012 Kristaps Dzonsons <kristaps@bsd.lv>
  * Copyright (c) 2010, 2012-2016 Ingo Schwarze <schwarze@openbsd.org>
@@ -645,10 +645,16 @@ blk_exp_close(MACRO_PROT_ARGS)
 			break;
 		}
 
-		/* Explicit blocks close out description lines. */
+		/*
+		 * Explicit blocks close out description lines, but
+		 * even those can get broken together with a child.
+		 */
 
 		if (n->tok == MDOC_Nd) {
-			rew_last(mdoc, n);
+			if (later != NULL)
+				n->flags |= NODE_BROKEN | NODE_ENDED;
+			else
+				rew_last(mdoc, n);
 			continue;
 		}
author	schwarze <schwarze@openbsd.org>	2017-02-11 14:08:35 +0000
committer	schwarze <schwarze@openbsd.org>	2017-02-11 14:08:35 +0000
commit	449f27a4b0bcf3c3a607e67026912a6af6ae9121 (patch)
tree	6c3d755b9aa3664b8f7be62cb1a25b9617861874
parent	sync (diff)
download	wireguard-openbsd-449f27a4b0bcf3c3a607e67026912a6af6ae9121.tar.xz wireguard-openbsd-449f27a4b0bcf3c3a607e67026912a6af6ae9121.zip