[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Null-Dereference bug in vector.c

From: 江 祖铭
Subject: Null-Dereference bug in vector.c
Date: Sat, 24 Aug 2019 07:31:18 +0000

The maintainers of bison:

Hello. I am Zu-Ming Jiang, a master student at Tsinghua University

I find a null dereference bug in vector.c

Describe the bug:
the realloc() in the call stack shown below may fail:
#1 Call realloc() in vbitset_resize(), at vector.c: 77
#2 Call vbitset_resize() in vbitset_init(), at bitset.c: 989
#3 Call vbitset_init() in bitset_init(), at bitset.c: 88
#4 Call bitset_init() in bitset_alloc(), at bitset.c: 138
#5 Call bitset_alloc() in bitset_create(), at bitset.c: 163
#6 Call bitset_create() in pack_table(), at table.c: 727
#7 Call pack_table() in tables_generate(), at table.c: 802
#8 Call tables_generate() in main(), at main.c: 152

If the realloc() in this call stack fails, It will make the variable 
VBITSET_WORDS (src) become NULL. And then, the program executes the instruction 
memset (VBITSET_WORDS (src) + oldsize, 0,  (newsize - oldsize) * sizeof 
(bitset_word)). So a crash occur because the program memset a buffer that begin 
at NULL.

Version: Bison 3.4
OS: Ubuntu 18.04

This bug is found by my fuzzing tool and can be triggered at runtime.


Zu-Ming Jiang (江祖铭)
Department of Computer Science and Technology
Tsinghua University, Beijing, 100084, China
Email: address@hidden

reply via email to

[Prev in Thread] Current Thread [Next in Thread]