There's a fairly obvious bug in yacc's reader.c but I'm not sure what the right fix is. Witness: end_rule() { int i; if (!last_was_action && plhs[nrules]->tag) { for (i = nitems - 1; pitem[i]; --i) continue; if (pitem[i + 1] == 0 || pitem[i+1]->tag != plhs[nrules]->tag) ... } ...clearly if pitem[nitems-1] == NULL (and nitems is the size of the array from [0,nitems-1]) then the if() will access beyond the bounds of the array. There's also the question of i being able to run below 0 too here. I don't know if the bug is here or if the bug is elsewhere in yacc, but I doubt that the "fix" is s/i + 1/i/. *Maybe* "i = nitems - 2;"? The bug can be masked by using calloc instead of malloc and similar other tricks, but there is something more fundamentaly wrong here. Has anyone else run into this? DarrenReceived on Sun Sep 23 2007 - 07:52:19 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:39:18 UTC