From b57aad23faa6782ab380ed7344d3397db11dd21e Mon Sep 17 00:00:00 2001 From: schwarze Date: Fri, 1 May 2015 16:56:36 +0000 Subject: [PATCH] mdoc_valid_post() may indirectly call roff_node_unlink() which may set ROFF_NEXT_CHILD, which is desirable for the final call to mdoc_valid_post() - in case the target itself gets deleted, the parse point may need this adjustment - but not for the intermediate calls - if intermediate nodes get deleted, that mustn't clobber the parse point. So move setting ROFF_NEXT_SIBLING to the proper place in rew_last(). This fixes the assertion failure in jsg@'s afl test case 108/Apr27. --- usr.bin/mandoc/mdoc_macro.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr.bin/mandoc/mdoc_macro.c b/usr.bin/mandoc/mdoc_macro.c index eb1630ac148..36a1373095f 100644 --- a/usr.bin/mandoc/mdoc_macro.c +++ b/usr.bin/mandoc/mdoc_macro.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mdoc_macro.c,v 1.155 2015/05/01 16:01:53 schwarze Exp $ */ +/* $OpenBSD: mdoc_macro.c,v 1.156 2015/05/01 16:56:36 schwarze Exp $ */ /* * Copyright (c) 2008-2012 Kristaps Dzonsons * Copyright (c) 2010, 2012-2015 Ingo Schwarze @@ -261,7 +261,6 @@ rew_last(struct roff_man *mdoc, const struct roff_node *to) if (to->flags & MDOC_VALID) return; - mdoc->next = ROFF_NEXT_SIBLING; while (mdoc->last != to) { /* * Save the parent here, because we may delete the @@ -274,6 +273,7 @@ rew_last(struct roff_man *mdoc, const struct roff_node *to) mdoc->last = np; assert(mdoc->last); } + mdoc->next = ROFF_NEXT_SIBLING; mdoc_valid_post(mdoc); } -- 2.20.1