[Bug 289420] mandoc core dump due to tag_put assertion

In reply to: bugzilla-noreply_a_freebsd.org: "[Bug 289420] mandoc core dump due to tag_put assertion"
Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: <bugzilla-noreply_at_freebsd.org>
Date: Tue, 09 Sep 2025 22:36:35 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=289420

Jessica Clarke <jrtc27@freebsd.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|Closed                      |Open
                 CC|                            |jrtc27@freebsd.org
         Resolution|FIXED                       |---

--- Comment #3 from Jessica Clarke <jrtc27@freebsd.org> ---
Just because the bug is in a -RELEASE version does not mean it is not a bug.
Users running releases are encouraged to report bugs they encounter. Issuing
Errata Notices is something that gets done when reported bugs are deemed
important enough to warrant fixing and the fix deemed low risk enough (taking
the severity into account). I believe the fix is the following upstream commit:

```
From 176a26ab0dba12d8c053376f32e5accba9e9166a Mon Sep 17 00:00:00 2001
From: schwarze <schwarze@openbsd.org>
Date: Wed, 8 Jun 2022 16:29:12 +0000
Subject: [PATCH] When looking for the next block to tag, we aren't interested
 in children of the current block but really want the next block instead. 
 This fixes a segfault reported by Evan Silberman <evan at jklol dot net> on
 bugs@.

---
 usr.bin/mandoc/mdoc_validate.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/usr.bin/mandoc/mdoc_validate.c b/usr.bin/mandoc/mdoc_validate.c
index 9e681af4b509..aa47566638aa 100644
--- a/usr.bin/mandoc/mdoc_validate.c
+++ b/usr.bin/mandoc/mdoc_validate.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: mdoc_validate.c,v 1.305 2021/10/04 14:18:42 schwarze Exp $ */
+/* $OpenBSD: mdoc_validate.c,v 1.306 2022/06/08 16:29:12 schwarze Exp $ */
 /*
  * Copyright (c) 2010-2021 Ingo Schwarze <schwarze@openbsd.org>
  * Copyright (c) 2008-2012 Kristaps Dzonsons <kristaps@bsd.lv>
@@ -1098,7 +1098,8 @@ post_tg(POST_ARGS)
        /* Find the next node. */
        n = mdoc->last;
        for (nn = n; nn != NULL; nn = nn->parent) {
-               if (nn->next != NULL) {
+               if (nn->type != ROFFT_HEAD && nn->type != ROFFT_BODY &&
+                   nn->type != ROFFT_TAIL && nn->next != NULL) {
                        nn = nn->next;
                        break;
                }
```

which was imported into main in:

```
commit c1c95add8c80843ba15d784f95c361d795b1f593
Merge: 839fb85336a0 20de55b07cf9
Author:     Brooks Davis <brooks@FreeBSD.org>
AuthorDate: Fri Dec 6 20:47:31 2024 +0000
Commit:     Brooks Davis <brooks@FreeBSD.org>
CommitDate: Fri Dec 6 20:47:31 2024 +0000

    Merge mandoc snapshot 2024-09-22
```

and merged to stable/14 in:

```
commit dd276946d56197947c47fa7a37255859aea6e942
Author:     Brooks Davis <brooks@FreeBSD.org>
AuthorDate: Fri Dec 6 20:47:31 2024 +0000
Commit:     Alexander Ziaee <ziaee@FreeBSD.org>
CommitDate: Mon Jul 14 12:44:44 2025 -0400

    Merge mandoc snapshot 2024-09-22

    (cherry picked from commit c1c95add8c80843ba15d784f95c361d795b1f593)
```

If that is indeed the fix, and it can be applied to releng/14.3 without undue
consequences, then it may be considered for an EN in future. That it can be
triggered by a manpage in the wild is an important consideration for that
decision.

-- 
You are receiving this mail because:
You are the assignee for the bug.