[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Out of bounds read in parse.y.
|
From: |
Collin Funk |
|
Subject: |
Out of bounds read in parse.y. |
|
Date: |
Mon, 26 Aug 2024 21:41:37 -0700 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) |
Hi,
When compiling with undefined behavior sanitizer and then running:
$ ./bash
parse.y:1000:93: runtime error: index -1 out of bounds for type 'int [257]'
The offending section of code:
case_command: CASE WORD newline_list IN newline_list ESAC
{
$$ = make_case_command ($2, (PATTERN_LIST *)NULL,
word_lineno[word_top]);
if (word_top >= 0) word_top--;
}
| CASE WORD newline_list IN case_clause_sequence newline_list ESAC
{
/* Access of word_lineno[word_top] causes bad read.
*/
$$ = make_case_command ($2, $5,
word_lineno[word_top]);
if (word_top >= 0) word_top--;
}
And the definition of word top and word_lineno:
#define MAX_COMPOUND_NEST 256
static int word_lineno[MAX_COMPOUND_NEST+1];
static int word_top = -1;
The value of word_top appears to only be set in 'set_word_top':
static inline int
set_word_top (int t)
{
switch (t)
{
case CASE:
case SELECT:
case FOR:
case IF:
case WHILE:
case UNTIL:
if (word_top < MAX_COMPOUND_NEST)
word_top++;
word_lineno[word_top] = line_number;
break;
default:
break;
}
return word_top;
}
Shouldn't all the decrements of word_top be protected by:
if (word_top > 0) word_top--;
instead of:
if (word_top >= 0) word_top--;
Or is there something more complicated that I am missing here?
Collin
- Out of bounds read in parse.y.,
Collin Funk <=