yacc bug in reader.c:end_rule()

From: Darren Reed <darrenr_at_freebsd.org>
Date: Sun, 23 Sep 2007 02:53:31 -0700
There's a fairly obvious bug in yacc's reader.c but I'm not sure what 
the right fix is.

Witness:
end_rule()
{
    int i;

    if (!last_was_action && plhs[nrules]->tag)
    {
       for (i = nitems - 1; pitem[i]; --i) continue;
       if (pitem[i + 1] == 0 || pitem[i+1]->tag != plhs[nrules]->tag)
...
}

...clearly if pitem[nitems-1] == NULL (and nitems is the size of the
array from [0,nitems-1]) then the if() will access beyond the bounds
of the array.

There's also the question of i being able to run below 0 too here.

I don't know if the bug is here or if the bug is elsewhere in yacc,
but I doubt that the "fix" is s/i + 1/i/. *Maybe* "i = nitems - 2;"?

The bug can be masked by using calloc instead of malloc and similar
other tricks, but there is something more fundamentaly wrong here.

Has anyone else run into this?

Darren
Received on Sun Sep 23 2007 - 07:52:19 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:39:18 UTC