From d548d6fbb54c6a48b2368ed7beec93fa35d26686 Mon Sep 17 00:00:00 2001
From: schwarze <schwarze@openbsd.org>
Date: Tue, 21 Apr 2015 16:13:54 +0000
Subject: [PATCH] Avoid a use after free when the target node is deleted during
 validation. Bug reported by jsg@.

---
 usr.bin/mandoc/mdoc_macro.c | 29 ++++++++++++++++-------------
 1 file changed, 16 insertions(+), 13 deletions(-)

diff --git a/usr.bin/mandoc/mdoc_macro.c b/usr.bin/mandoc/mdoc_macro.c
index 9b0a57c3686..239bfea69ab 100644
--- a/usr.bin/mandoc/mdoc_macro.c
+++ b/usr.bin/mandoc/mdoc_macro.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: mdoc_macro.c,v 1.149 2015/04/19 14:57:16 schwarze Exp $ */
+/*	$OpenBSD: mdoc_macro.c,v 1.150 2015/04/21 16:13:54 schwarze Exp $ */
 /*
  * Copyright (c) 2008-2012 Kristaps Dzonsons <kristaps@bsd.lv>
  * Copyright (c) 2010, 2012-2015 Ingo Schwarze <schwarze@openbsd.org>
@@ -289,18 +289,21 @@ rew_pending(struct roff_man *mdoc, const struct roff_node *n)
 	for (;;) {
 		rew_last(mdoc, n);
 
-		switch (n->type) {
-		case ROFFT_HEAD:
-			roff_body_alloc(mdoc, n->line, n->pos, n->tok);
-			return;
-		case ROFFT_BLOCK:
-			break;
-		default:
-			return;
-		}
-
-		if ( ! (n->flags & MDOC_BROKEN))
-			return;
+		if (mdoc->last == n) {
+			switch (n->type) {
+			case ROFFT_HEAD:
+				roff_body_alloc(mdoc, n->line, n->pos,
+				    n->tok);
+				return;
+			case ROFFT_BLOCK:
+				break;
+			default:
+				return;
+			}
+			if ( ! (n->flags & MDOC_BROKEN))
+				return;
+		} else
+			n = mdoc->last;
 
 		for (;;) {
 			if ((n = n->parent) == NULL)
-- 
2.20.1