| Tue Jul 8 15:06:50 2008 UTC by otto |
| |
| Fix an venerable bug: if we're reducing a rule that has an empty |
| right hand side and the yacc stackpointer is pointing at the very |
| end of the allocated stack, we end up accessing the stack out of |
| bounds by the implicit $$ = $1 action. Detected by my new malloc, |
| experienced by sturm@ on sparc64; ok deraadt@ |
| |
| |
| Index: yacc-1.9.1/skeleton.c |
| =================================================================== |
| --- yacc-1.9.1.orig/skeleton.c |
| +++ yacc-1.9.1/skeleton.c |
| @@ -18,6 +18,7 @@ char *banner[] = |
| "/*static char yysccsid[] = \"from: @(#)yaccpar 1.9 (Berkeley) 02/21/93\";*/", |
| "static char yyrcsid[] = \"$Id: yacc-1.9.1-CVE-2008-3196.patch,v 1.1 2008/10/04 18:57:18 rbu Exp $\";", |
| "#endif", |
| + "#include <string.h>", |
| "#define YYBYACC 1", |
| "#define YYMAJOR 1", |
| "#define YYMINOR 9", |
| @@ -226,7 +227,10 @@ char *body[] = |
| " YYPREFIX, yystate, yyn, yyrule[yyn]);", |
| "#endif", |
| " yym = yylen[yyn];", |
| - " yyval = yyvsp[1-yym];", |
| + " if (yym)", |
| + " yyval = yyvsp[1-yym];", |
| + " else", |
| + " memset(&yyval, 0, sizeof yyval);", |
| " switch (yyn)", |
| " {", |
| 0 |