[bug #62040] [troff] double-free crash provoked by HTML man(7) output

[G. Branden Robinson]

Follow-up Comment #4, bug #62040 (project groff):

This bug is not in groff 1.22.4.  I exposed it at a considerable distance with
the following commit.


commit 384b5b2b235a053d905304abfe24712afe90d441 (HEAD, refs/bisect/bad)
Author: G. Branden Robinson <g.branden.robinson@gmail.com>
Date:   Thu May 20 00:36:35 2021 +1000

    tmac/an-old.tmac: Drop no-op .tl requests.
    
    * tmac/an-old.tmac (an-header, an-footer): Drop no-op .tl requests.
[...]
diff --git a/tmac/an-old.tmac b/tmac/an-old.tmac
index 1747728a5..ed4769367 100644
--- a/tmac/an-old.tmac
+++ b/tmac/an-old.tmac
@@ -284,9 +284,7 @@
 .  ps \\n[PS]u
 .  vs \\n[VS]u
 .  lt \\n[LT]u
-.  ie \\n[an-is-output-html] \
-.    tl ''''
-.  el \{\
+.  if !\\n[an-is-output-html] \
 .    if !\\n[cR] \
 .      sp .5i
 .    PT
@@ -310,10 +308,7 @@
 .  ps \\n[PS]u
 .  vs \\n[VS]u
 .  lt \\n[LT]u
-.  ie \\n[an-is-output-html] \{\
-.    tl ''''
-.  \}
-.  el \{\
+.  if !\\n[an-is-output-html] \{\
 .    ie \\n[cR] \
 .      ds an-outer-footer-text "\\*[an-title](\\*[an-section])\"
 .    el \{\


I say "exposed" rather than "caused" because a change to a macro package
should not be able to make the output driver drop core.  It seems reasonable
to infer that a raw roff document could be constructed that would provoke the
same behavior.

With respect to _why_ this change exposed the bug, my surmise remains
consistent with comment #1.  I think the blank titles put nodes on the output,
such that was no longer "nothing" where the output driver was expecting
"something".

    _______________________________________________________

Reply to this item at:

  <https://savannah.gnu.org/bugs/?62040>

_______________________________________________
  Message sent via Savannah
  https://savannah.gnu.org/