From 16f08be4b1abba81be4ac4886c15fed8f48a0898 Mon Sep 17 00:00:00 2001
From: schwarze <schwarze@openbsd.org>
Date: Wed, 29 Apr 2015 12:44:10 +0000
Subject: [PATCH] When the last line of a table layout turns out to be empty,
 it is deleted. Do not just free the struct tbl_row but also make sure that no
 pointer to it remains.  Fixing a use after free found by jsg@ with afl.

---
 usr.bin/mandoc/tbl_layout.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/usr.bin/mandoc/tbl_layout.c b/usr.bin/mandoc/tbl_layout.c
index 7e4655479d0..8f95b0a5a95 100644
--- a/usr.bin/mandoc/tbl_layout.c
+++ b/usr.bin/mandoc/tbl_layout.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: tbl_layout.c,v 1.25 2015/02/10 11:02:19 schwarze Exp $ */
+/*	$OpenBSD: tbl_layout.c,v 1.26 2015/04/29 12:44:10 schwarze Exp $ */
 /*
  * Copyright (c) 2009, 2010, 2011 Kristaps Dzonsons <kristaps@bsd.lv>
  * Copyright (c) 2012, 2014, 2015 Ingo Schwarze <schwarze@openbsd.org>
@@ -306,6 +306,7 @@ tbl_layout(struct tbl_node *tbl, int ln, const char *p, int pos)
 				    rp->next->first == NULL) {
 					free(rp->next);
 					rp->next = NULL;
+					tbl->last_row = rp;
 				}
 			}
 			return;
-- 
2.20.1