Do not mark a block with the MDOC_BROKEN flag if it merely contains

a mismatching explicit end macro without actually being broken.
Avoids a subsequent upward search for the non-existent breaker
ending up in a NULL pointer access; afl test case 005/Apr27 from jsg@.

diff --git a/usr.bin/mandoc/mdoc_macro.c b/usr.bin/mandoc/mdoc_macro.c
index bfebe2c..76ff272 100644 (file)
--- a/usr.bin/mandoc/mdoc_macro.c
+++ b/usr.bin/mandoc/mdoc_macro.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: mdoc_macro.c,v 1.151 2015/04/23 15:35:39 schwarze Exp $ */
+/*     $OpenBSD: mdoc_macro.c,v 1.152 2015/04/29 14:48:17 schwarze Exp $ */
 /*
  * Copyright (c) 2008-2012 Kristaps Dzonsons <kristaps@bsd.lv>
  * Copyright (c) 2010, 2012-2015 Ingo Schwarze <schwarze@openbsd.org>
@@ -642,6 +642,8 @@ blk_exp_close(MACRO_PROT_ARGS)
        if (body == NULL) {
                mandoc_msg(MANDOCERR_BLK_NOTOPEN, mdoc->parse,
                    line, ppos, mdoc_macronames[tok]);
+               if (later != NULL)
+                       later->flags &= ~MDOC_BROKEN;
                if (maxargs && endbody == NULL) {
                        /*
                         * Stray .Ec without previous .Eo: