[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Index used before checking in Bison generated code.

From: Tim Deegan
Subject: Index used before checking in Bison generated code.
Date: Fri, 9 Aug 2013 19:06:38 +0100
User-agent: Mutt/


In parsers generated by Bison, the function yysyntax_error() uses its
yytoken argument to dereference an array before later testing whether
it's equal to YYEMPTY (a.k.a. -2):

yysyntax_error (YYSIZE_T *yymsg_alloc, char **yymsg,
                yytype_int16 *yyesa, yytype_int16 **yyes,
                YYSIZE_T *yyes_capacity, yytype_int16 *yyssp, int yytoken)
  YYSIZE_T yysize0 = yytnamerr (YY_NULL, yytname[yytoken]);


  if (yytoken != YYEMPTY)

If yytoken can be == YYEMPTY when this is called, it will underflow the
yytname[] array in the initialier for yysize0.  The immediate callers of
yysyntax_error() seem to allow for the possibility that yytoken ==
YYEMPTY, but I haven't dug any deeper.

I found this using STACK (http://css.csail.mit.edu/stack/) to scan
another project that uses Bison to generate its parsers, but the
generated code can be seen in the Bison sources themselves, as

I used Bison 2.5 (as shipped in debian wheezy), and also today's master
branch (a7280757105b2909f6a58fdd1c582de8e278319a), on x86_64 debian
wheezy on linux 3.2.35.



                                         Tim Deegan <address@hidden>
                     Who's the jaunty jackanapes with moxie and pizzazz?
                                        It's the Sneak!  It's the Sneak!
                       [ homestarrunner.com, "The Ballad of The Sneak" ]

reply via email to

[Prev in Thread] Current Thread [Next in Thread]