From 56160448f2bebc951cd528651be685bb3adc4354 Mon Sep 17 00:00:00 2001
From: schwarze <schwarze@openbsd.org>
Date: Sat, 13 Aug 2016 09:14:56 +0000
Subject: [PATCH] Even after switching from a pending head to the body, we have
 to continue scanning upwards, because the enclosing block might already be
 pending as well, e.g. .Bl .Bl .It Bo .El .It. Tree corruption leading to a
 later NULL deref found by tb@ with afl(1).

---
 usr.bin/mandoc/mdoc_macro.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/usr.bin/mandoc/mdoc_macro.c b/usr.bin/mandoc/mdoc_macro.c
index 2d76e1e7369..7bc6b7057b4 100644
--- a/usr.bin/mandoc/mdoc_macro.c
+++ b/usr.bin/mandoc/mdoc_macro.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: mdoc_macro.c,v 1.162 2015/10/20 02:00:49 schwarze Exp $ */
+/*	$OpenBSD: mdoc_macro.c,v 1.163 2016/08/13 09:14:56 schwarze Exp $ */
 /*
  * Copyright (c) 2008-2012 Kristaps Dzonsons <kristaps@bsd.lv>
  * Copyright (c) 2010, 2012-2015 Ingo Schwarze <schwarze@openbsd.org>
@@ -290,7 +290,7 @@ rew_pending(struct roff_man *mdoc, const struct roff_node *n)
 			case ROFFT_HEAD:
 				roff_body_alloc(mdoc, n->line, n->pos,
 				    n->tok);
-				return;
+				break;
 			case ROFFT_BLOCK:
 				break;
 			default:
-- 
2.20.1