From: otto Date: Tue, 8 Jul 2008 15:06:50 +0000 (+0000) Subject: Fix an venerable bug: if we're reducing a rule that has an empty X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=539ddd41d4432ce65f3ea79459c50c8a876a0ea7;p=openbsd Fix an venerable bug: if we're reducing a rule that has an empty right hand side and the yacc stackpointer is pointing at the very end of the allocated stack, we end up accessing the stack out of bounds by the implicit $$ = $1 action. Detected by my new malloc, experienced by sturm@ on sparc64; ok deraadt@ --- diff --git a/usr.bin/yacc/skeleton.c b/usr.bin/yacc/skeleton.c index 2b1739f2697..082ae29d39d 100644 --- a/usr.bin/yacc/skeleton.c +++ b/usr.bin/yacc/skeleton.c @@ -1,4 +1,4 @@ -/* $OpenBSD: skeleton.c,v 1.28 2007/09/03 21:14:58 deraadt Exp $ */ +/* $OpenBSD: skeleton.c,v 1.29 2008/07/08 15:06:50 otto Exp $ */ /* $NetBSD: skeleton.c,v 1.10 1996/03/25 00:36:18 mrg Exp $ */ /* @@ -63,9 +63,10 @@ char *banner[] = "#if __GNUC__ >= 2", " __attribute__ ((unused))", "#endif /* __GNUC__ >= 2 */", - " = \"$OpenBSD: skeleton.c,v 1.28 2007/09/03 21:14:58 deraadt Exp $\";", + " = \"$OpenBSD: skeleton.c,v 1.29 2008/07/08 15:06:50 otto Exp $\";", "#endif", "#include ", + "#include ", "#define YYBYACC 1", "#define YYMAJOR 1", "#define YYMINOR 9", @@ -346,7 +347,10 @@ char *body[] = " YYPREFIX, yystate, yyn, yyrule[yyn]);", "#endif", " yym = yylen[yyn];", - " yyval = yyvsp[1-yym];", + " if (yym)", + " yyval = yyvsp[1-yym];", + " else", + " memset(&yyval, 0, sizeof yyval);", " switch (yyn)", " {", 0