[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Index used before checking in Bison generated code.
From: |
Tim Deegan |
Subject: |
Index used before checking in Bison generated code. |
Date: |
Fri, 9 Aug 2013 19:06:38 +0100 |
User-agent: |
Mutt/1.4.2.1i |
Hello,
In parsers generated by Bison, the function yysyntax_error() uses its
yytoken argument to dereference an array before later testing whether
it's equal to YYEMPTY (a.k.a. -2):
yysyntax_error (YYSIZE_T *yymsg_alloc, char **yymsg,
yytype_int16 *yyesa, yytype_int16 **yyes,
YYSIZE_T *yyes_capacity, yytype_int16 *yyssp, int yytoken)
{
YYSIZE_T yysize0 = yytnamerr (YY_NULL, yytname[yytoken]);
[...]
if (yytoken != YYEMPTY)
{
If yytoken can be == YYEMPTY when this is called, it will underflow the
yytname[] array in the initialier for yysize0. The immediate callers of
yysyntax_error() seem to allow for the possibility that yytoken ==
YYEMPTY, but I haven't dug any deeper.
I found this using STACK (http://css.csail.mit.edu/stack/) to scan
another project that uses Bison to generate its parsers, but the
generated code can be seen in the Bison sources themselves, as
src/parse-gram.c.
I used Bison 2.5 (as shipped in debian wheezy), and also today's master
branch (a7280757105b2909f6a58fdd1c582de8e278319a), on x86_64 debian
wheezy on linux 3.2.35.
Thanks,
Tim.
--
Tim Deegan <address@hidden>
Who's the jaunty jackanapes with moxie and pizzazz?
It's the Sneak! It's the Sneak!
[ homestarrunner.com, "The Ballad of The Sneak" ]
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- Index used before checking in Bison generated code.,
Tim Deegan <=