Fix an venerable bug: if we're reducing a rule that has an empty

right hand side and the yacc stackpointer is pointing at the very end of the allocated stack, we end up accessing the stack out of bounds by the implicit $$ = $1 action. Detected by my new malloc, experienced by sturm@ on sparc64; ok deraadt@
2025-01-10 06:47:55 -08:00 · 2008-07-08 15:06:50 +00:00 · 2008-07-08 15:06:50 +00:00 · 539ddd41d4
commit 539ddd41d4
parent 98e33d7c05
1 changed files with 7 additions and 3 deletions
--- a/usr.bin/yacc/skeleton.c
+++ b/usr.bin/yacc/skeleton.c
@ -1,4 +1,4 @@
-/*	$OpenBSD: skeleton.c,v 1.28 2007/09/03 21:14:58 deraadt Exp $	*/
+/*	$OpenBSD: skeleton.c,v 1.29 2008/07/08 15:06:50 otto Exp $	*/
 /*	$NetBSD: skeleton.c,v 1.10 1996/03/25 00:36:18 mrg Exp $	*/

 /*
@ -63,9 +63,10 @@ char *banner[] =
    "#if __GNUC__ >= 2",
    "  __attribute__ ((unused))",
    "#endif /* __GNUC__ >= 2 */",
-    "  = \"$OpenBSD: skeleton.c,v 1.28 2007/09/03 21:14:58 deraadt Exp $\";",
+    "  = \"$OpenBSD: skeleton.c,v 1.29 2008/07/08 15:06:50 otto Exp $\";",
    "#endif",
    "#include <stdlib.h>",
+    "#include <string.h>",
    "#define YYBYACC 1",
    "#define YYMAJOR 1",
    "#define YYMINOR 9",
@ -346,7 +347,10 @@ char *body[] =
    "                YYPREFIX, yystate, yyn, yyrule[yyn]);",
    "#endif",
    "    yym = yylen[yyn];",
-    "    yyval = yyvsp[1-yym];",
+    "    if (yym)",
+    "        yyval = yyvsp[1-yym];",
+    "    else",
+    "        memset(&yyval, 0, sizeof yyval);",
    "    switch (yyn)",
    "    {",
    0