On Thu, Jun 11, 2020 at 03:59:09PM +0200, Otto Moerbeek wrote:
> This already trips the bug;
>
> man -T html -c pfctl id
>
> No need for a custom man function. No clue yet why.
This is in mandoc's HTML parser, but only happens for multiple manuals
in html.c:html_reset_internal():
164 while ((tag = h->tag) != NULL) {
165 h->tag = tag->next;
166 free(tag);
167 }
Note that it crashes differently depending on the optimization level:
$ cd /usr/src/usr.bin/mandoc
$ make DEBUG=-O0
$ ./obj/mandoc -Thtml `man -w id cat` >/dev/null ; echo $?
0
$ make DEBUG=-O1
$ ./obj/mandoc -Thtml `man -w id cat` >/dev/null
Segmentation fault (core dumped)
$ make DEBUG=-O2
$ ./obj/mandoc -Thtml `man -w id cat` >/dev/null
mandoc(32092) in free(): bogus pointer (double free?) 0x6641bab613b
Abort trap (core dumped)
Need to run now, but wanted to share what seems to be the right direction.
