Bug 112617 - array bounds error in byacc
array bounds error in byacc
Status: CLOSED INSUFFICIENT_DATA
Product: Fedora
Classification: Fedora
Component: byacc (Show other bugs)
1
All Linux
medium Severity medium
: ---
: ---
Assigned To: Petr Machata
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2003-12-24 13:09 EST by Steve Dum
Modified: 2015-05-04 21:32 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-10-25 16:26:39 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Steve Dum 2003-12-24 13:09:53 EST
Description of problem: certian grammars can cause byacc to attempt
to access data off the end of a malloced array.


Version-Release number of selected component (if applicable):1.9


How reproducible:always - grammar dependent.


Steps to Reproduce:
in end_rule() reader.c
when a rule is bugun (reader encounters the : of the rule) end_rule()
is called.  It makes a check to see if this rule returns a value
and if a value is available to return.  However, if we are at the
start of a new rule, the last thing on the pitem stack is a null.
If it happens that this item is also the 300'th item on the stack
(or a multiple of 300) the loop erroneously thinks it is at the
start of a rule with data following and tries to access the 301'st 
element exceeding the array limits.  It appears that the simplest
solution is that end_rule can just check if the last element is a
null and skip this check for a missing default action since the
default action hasn't been entered yet.

 1106,1110c1106,1108
<         if (pitem[nitems-1]) {
<            for (i = nitems - 1; pitem[i]; --i) continue;
<            if (pitem[i+1] == 0 || pitem[i+1]->tag != plhs[nrules]->tag)
<                default_action_warning();
<         }
---
>       for (i = nitems - 1; pitem[i]; --i) continue;
>       if (pitem[i+1] == 0 || pitem[i+1]->tag != plhs[nrules]->tag)
>           default_action_warning();


  
Solution is in the diff above.
Comment 1 Thomas E. Dickey 2005-05-04 20:27:14 EDT
I've applied this to my version, will be on ftp area tomorrow.
Comment 2 Petr Machata 2006-03-02 13:27:15 EST
Is there a testcase that you could provide, please?
Comment 3 Steve Dum 2006-03-03 01:40:05 EST
Not any longer.  That was a different job. Sorry
Comment 4 Matthew Miller 2006-07-11 13:44:16 EDT
Fedora Core 1 is maintained by the Fedora Legacy project for security updates
only. If this problem is a security issue, please reopen and reassign to the
Fedora Legacy product. If it is not a security issue and hasn't been resolved in
the current FC5 updates or in the FC6 test release, reopen and change the
version to match.

Thanks!

NOTE: Fedora Core 1 is reaching the final end of support even by the Legacy
project. After Fedora Core 6 Test 2 is released (currently scheduled for July
26th), there will be no more security updates for FC1. Please use these next two
weeks to upgrade any remaining FC1 systems to a current release.

Comment 5 John Thacker 2006-10-25 16:26:39 EDT
Closing per previous comment and lack of response.  Also note that FC1 and FC2
are no longer supported even by Fedora Legacy.

Note You need to log in before you can comment on or make changes to this bug.