On Thu, Jun 11, 2020 at 04:53:25PM +0200, Romero Pérez, Abel wrote:
>
>
> On 2020-06-11 16:45, Klemens Nanni wrote:
> > On Thu, Jun 11, 2020 at 03:59:09PM +0200, Otto Moerbeek wrote:
> > > This already trips the bug;
> > >
> > > man -T html -c pfctl id
> > >
> > > No need for a custom man function. No clue yet why.
> > This is in mandoc's HTML parser, but only happens for multiple manuals
> > in html.c:html_reset_internal():
> >
> > 164 while ((tag = h->tag) != NULL) {
> > 165 h->tag = tag->next;
> > 166 free(tag);
> > 167 }
> >
> > Note that it crashes differently depending on the optimization level:
> >
> > $ cd /usr/src/usr.bin/mandoc
> > $ make DEBUG=-O0
> > $ ./obj/mandoc -Thtml `man -w id cat` >/dev/null ; echo $?
> > 0
> >
> > $ make DEBUG=-O1
> > $ ./obj/mandoc -Thtml `man -w id cat` >/dev/null
> > Segmentation fault (core dumped)
> >
> > $ make DEBUG=-O2
> > $ ./obj/mandoc -Thtml `man -w id cat` >/dev/null
> > mandoc(32092) in free(): bogus pointer (double free?) 0x6641bab613b
> > Abort trap (core dumped)
> >
> > Need to run now, but wanted to share what seems to be the right direction.
> >
> Compile with -O0 to fix temporally the bug.
> But, I also want to note that a binary is not need to be specified, can be a
> just a file... (as second man entry).
>
This fixes it for me,
-Otto
Index: main.c
===================================================================
RCS file: /cvs/src/usr.bin/mandoc/main.c,v
retrieving revision 1.247
diff -u -p -r1.247 main.c
--- main.c 24 Feb 2020 21:15:05 -0000 1.247
+++ main.c 11 Jun 2020 15:06:43 -0000
@@ -872,7 +872,7 @@ parse(struct mparse *mp, int fd, const c
if (outst->outdata == NULL)
outdata_alloc(outst, outconf);
else if (outst->outtype == OUTT_HTML)
- html_reset(outst);
+ html_reset(outst->outdata);
mandoc_xr_reset();
meta = mparse_result(mp);
