explicit blocks close out .Nd; fixing data structure corruption

eventually leading to NULL pointer access;
found by jsg@ with afl, text case #455.

5 files changed, 54 insertions, 4 deletions

diff --git a/regress/usr.bin/mandoc/mdoc/Nd/Makefile b/regress/usr.bin/mandoc/mdoc/Nd/Makefile
index 2087e87e2e8..d67804c44a6 100644
--- a/regress/usr.bin/mandoc/mdoc/Nd/Makefile
+++ b/regress/usr.bin/mandoc/mdoc/Nd/Makefile
@@ -1,6 +1,6 @@
-# $OpenBSD: Makefile,v 1.4 2015/02/04 16:38:31 schwarze Exp $
+# $OpenBSD: Makefile,v 1.5 2015/02/11 13:37:31 schwarze Exp $
 
-REGRESS_TARGETS	 = hyph noarg par
-LINT_TARGETS	 = noarg
+REGRESS_TARGETS	 = broken hyph noarg par
+LINT_TARGETS	 = broken noarg
 
 .include <bsd.regress.mk>
diff --git a/regress/usr.bin/mandoc/mdoc/Nd/broken.in b/regress/usr.bin/mandoc/mdoc/Nd/broken.in
new file mode 100644
index 00000000000..e61804ac7da
--- /dev/null
+++ b/regress/usr.bin/mandoc/mdoc/Nd/broken.in
@@ -0,0 +1,22 @@
+.Dd February 11, 2015
+.Dt ND-BROKEN 1
+.Os OpenBSD
+.Sh NAME
+.Oo
+.Nm Nd-broken
+.Nd description lines ended
+.Oc
+by explicit blocks
+.Sh DESCRIPTION
+Start nested lists:
+.Bl -tag -width Ds
+.Bl -tag -width Ds
+.It inner tag
+inner text
+.Nd inner description
+.El
+back to outer list
+.It outer tag
+outer text
+.El
+end of file
diff --git a/regress/usr.bin/mandoc/mdoc/Nd/broken.out_ascii b/regress/usr.bin/mandoc/mdoc/Nd/broken.out_ascii
new file mode 100644
index 00000000000..5752f975a91
--- /dev/null
+++ b/regress/usr.bin/mandoc/mdoc/Nd/broken.out_ascii
@@ -0,0 +1,17 @@
+ND-BROKEN(1)                General Commands Manual               ND-BROKEN(1)
+
+NNAAMMEE
+     [NNdd--bbrrookkeenn - description lines ended] by explicit blocks
+
+DDEESSCCRRIIPPTTIIOONN
+     Start nested lists:
+
+     inner tag
+             inner text - inner description
+     back to outer list
+
+     outer tag
+             outer text
+     end of file
+
+OpenBSD                        February 11, 2015                       OpenBSD
diff --git a/regress/usr.bin/mandoc/mdoc/Nd/broken.out_lint b/regress/usr.bin/mandoc/mdoc/Nd/broken.out_lint
new file mode 100644
index 00000000000..ffbf4a2f226
--- /dev/null
+++ b/regress/usr.bin/mandoc/mdoc/Nd/broken.out_lint
@@ -0,0 +1,4 @@
+mandoc: broken.in:5:2: WARNING: bad NAME section contents: Oo
+mandoc: broken.in:9:1: WARNING: bad NAME section contents: text
+mandoc: broken.in:13:2: WARNING: moving content out of list: Bl
+mandoc: broken.in:18:1: WARNING: moving content out of list: text
diff --git a/usr.bin/mandoc/mdoc_macro.c b/usr.bin/mandoc/mdoc_macro.c
index dc36316a99a..8ff01cabd9f 100644
--- a/usr.bin/mandoc/mdoc_macro.c
+++ b/usr.bin/mandoc/mdoc_macro.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: mdoc_macro.c,v 1.137 2015/02/10 17:47:19 schwarze Exp $ */
+/*	$OpenBSD: mdoc_macro.c,v 1.138 2015/02/11 13:37:31 schwarze Exp $ */
 /*
  * Copyright (c) 2008-2012 Kristaps Dzonsons <kristaps@bsd.lv>
  * Copyright (c) 2010, 2012-2015 Ingo Schwarze <schwarze@openbsd.org>
@@ -628,6 +628,13 @@ blk_exp_close(MACRO_PROT_ARGS)
 			break;
 		}
 
+		/* Explicit blocks close out description lines. */
+
+		if (n->tok == MDOC_Nd) {
+			rew_last(mdoc, n);
+			continue;
+		}
+
 		/*
 		 * When finding an open sub block, remember the last
 		 * open explicit block, or, in case there are only