From 012b0a63e80b5d6c24ffc3ddc292861aa4132cc6 Mon Sep 17 00:00:00 2001
From: Ingo Schwarze <schwarze@openbsd.org>
Date: Fri, 30 Jan 2015 17:32:16 +0000
Subject: Delete the redundant tbl span flags, just inspect the actual data
 where needed, which is less fragile. This fixes a subtle NULL pointer access
 to tp->tbl.cols: Due to a bug in the man(7) parser, the first span of a table
 can end up in a .TP head, in which case tblcalc() was never called. Found by
 jsg@ with afl.

---
 man_term.c | 4 ++--
 mandoc.h   | 5 +----
 tbl.c      | 6 +-----
 tbl_data.c | 3 +--
 tbl_html.c | 6 +++---
 tbl_term.c | 6 +++---
 6 files changed, 11 insertions(+), 19 deletions(-)

diff --git a/man_term.c b/man_term.c
index ab6e5b06..830f82cb 100644
--- a/man_term.c
+++ b/man_term.c
@@ -1,4 +1,4 @@
-/*	$Id: man_term.c,v 1.166 2015/01/24 02:41:49 schwarze Exp $ */
+/*	$Id: man_term.c,v 1.167 2015/01/30 17:32:16 schwarze Exp $ */
 /*
  * Copyright (c) 2008-2012 Kristaps Dzonsons <kristaps@bsd.lv>
  * Copyright (c) 2010-2014 Ingo Schwarze <schwarze@openbsd.org>
@@ -949,7 +949,7 @@ print_man_node(DECL_ARGS)
 		 * Tables are preceded by a newline.  Then process a
 		 * table line, which will cause line termination,
 		 */
-		if (TBL_SPAN_FIRST & n->span->flags)
+		if (n->span->prev == NULL)
 			term_newln(p);
 		term_tbl(p, n->span);
 		return;
diff --git a/mandoc.h b/mandoc.h
index 42eb858d..01dbafa6 100644
--- a/mandoc.h
+++ b/mandoc.h
@@ -1,4 +1,4 @@
-/*	$Id: mandoc.h,v 1.193 2015/01/30 04:11:50 schwarze Exp $ */
+/*	$Id: mandoc.h,v 1.194 2015/01/30 17:32:16 schwarze Exp $ */
 /*
  * Copyright (c) 2010, 2011, 2014 Kristaps Dzonsons <kristaps@bsd.lv>
  * Copyright (c) 2010-2015 Ingo Schwarze <schwarze@openbsd.org>
@@ -285,9 +285,6 @@ struct	tbl_span {
 	struct tbl_span	 *prev;
 	struct tbl_span	 *next;
 	int		  line; /* parse line */
-	int		  flags;
-#define	TBL_SPAN_FIRST	 (1 << 0)
-#define	TBL_SPAN_LAST	 (1 << 1)
 	enum tbl_spant	  pos;
 };
 
diff --git a/tbl.c b/tbl.c
index 1a84a4a3..00ee4661 100644
--- a/tbl.c
+++ b/tbl.c
@@ -1,4 +1,4 @@
-/*	$Id: tbl.c,v 1.38 2015/01/30 04:11:50 schwarze Exp $ */
+/*	$Id: tbl.c,v 1.39 2015/01/30 17:32:16 schwarze Exp $ */
 /*
  * Copyright (c) 2009, 2010, 2011 Kristaps Dzonsons <kristaps@bsd.lv>
  * Copyright (c) 2011, 2015 Ingo Schwarze <schwarze@openbsd.org>
@@ -179,9 +179,5 @@ tbl_end(struct tbl_node **tblp)
 		    tbl->line, tbl->pos, NULL);
 		return(0);
 	}
-
-	if (tbl->last_span != NULL)
-		tbl->last_span->flags |= TBL_SPAN_LAST;
-
 	return(1);
 }
diff --git a/tbl_data.c b/tbl_data.c
index 9d52f114..e2be64eb 100644
--- a/tbl_data.c
+++ b/tbl_data.c
@@ -1,4 +1,4 @@
-/*	$Id: tbl_data.c,v 1.38 2015/01/30 04:11:50 schwarze Exp $ */
+/*	$Id: tbl_data.c,v 1.39 2015/01/30 17:32:16 schwarze Exp $ */
 /*
  * Copyright (c) 2009, 2010, 2011 Kristaps Dzonsons <kristaps@bsd.lv>
  * Copyright (c) 2011, 2015 Ingo Schwarze <schwarze@openbsd.org>
@@ -173,7 +173,6 @@ newspan(struct tbl_node *tbl, int line, struct tbl_row *rp)
 	if (dp->prev == NULL) {
 		tbl->first_span = dp;
 		tbl->current_span = NULL;
-		dp->flags |= TBL_SPAN_FIRST;
 	} else
 		dp->prev->next = dp;
 	tbl->last_span = dp;
diff --git a/tbl_html.c b/tbl_html.c
index 9f982ce3..e7940381 100644
--- a/tbl_html.c
+++ b/tbl_html.c
@@ -1,4 +1,4 @@
-/*	$Id: tbl_html.c,v 1.15 2015/01/30 04:11:50 schwarze Exp $ */
+/*	$Id: tbl_html.c,v 1.16 2015/01/30 17:32:16 schwarze Exp $ */
 /*
  * Copyright (c) 2011 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -54,7 +54,7 @@ html_tblopen(struct html *h, const struct tbl_span *sp)
 	struct roffcol	*col;
 	int		 ic;
 
-	if (sp->flags & TBL_SPAN_FIRST) {
+	if (h->tbl.cols == NULL) {
 		h->tbl.len = html_tbl_len;
 		h->tbl.slen = html_tbl_strlen;
 		tblcalc(&h->tbl, sp, 0);
@@ -132,7 +132,7 @@ print_tbl(struct html *h, const struct tbl_span *sp)
 
 	h->flags &= ~HTML_NONOSPACE;
 
-	if (sp->flags & TBL_SPAN_LAST) {
+	if (sp->next == NULL) {
 		assert(h->tbl.cols);
 		free(h->tbl.cols);
 		h->tbl.cols = NULL;
diff --git a/tbl_term.c b/tbl_term.c
index d30bd590..455a158d 100644
--- a/tbl_term.c
+++ b/tbl_term.c
@@ -1,4 +1,4 @@
-/*	$Id: tbl_term.c,v 1.36 2015/01/30 04:11:50 schwarze Exp $ */
+/*	$Id: tbl_term.c,v 1.37 2015/01/30 17:32:16 schwarze Exp $ */
 /*
  * Copyright (c) 2009, 2011 Kristaps Dzonsons <kristaps@bsd.lv>
  * Copyright (c) 2011, 2012, 2014, 2015 Ingo Schwarze <schwarze@openbsd.org>
@@ -81,7 +81,7 @@ term_tbl(struct termp *tp, const struct tbl_span *sp)
 	 * calculate the table widths and decimal positions.
 	 */
 
-	if (sp->flags & TBL_SPAN_FIRST) {
+	if (tp->tbl.cols == NULL) {
 		term_flushln(tp);
 
 		tp->tbl.len = term_tbl_len;
@@ -189,7 +189,7 @@ term_tbl(struct termp *tp, const struct tbl_span *sp)
 	 * existing table configuration and set it to NULL.
 	 */
 
-	if (sp->flags & TBL_SPAN_LAST) {
+	if (sp->next == NULL) {
 		if (sp->opts->opts & (TBL_OPT_DBOX | TBL_OPT_BOX)) {
 			tbl_hrule(tp, sp, 1);
 			tp->skipvsp = 1;
-- 
cgit v1.2.3