[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Null-Dereference bug in vector.c
From: |
江 祖铭 |
Subject: |
Null-Dereference bug in vector.c |
Date: |
Sat, 24 Aug 2019 07:31:18 +0000 |
The maintainers of bison:
Hello. I am Zu-Ming Jiang, a master student at Tsinghua University
I find a null dereference bug in vector.c
Describe the bug:
the realloc() in the call stack shown below may fail:
#1 Call realloc() in vbitset_resize(), at vector.c: 77
#2 Call vbitset_resize() in vbitset_init(), at bitset.c: 989
#3 Call vbitset_init() in bitset_init(), at bitset.c: 88
#4 Call bitset_init() in bitset_alloc(), at bitset.c: 138
#5 Call bitset_alloc() in bitset_create(), at bitset.c: 163
#6 Call bitset_create() in pack_table(), at table.c: 727
#7 Call pack_table() in tables_generate(), at table.c: 802
#8 Call tables_generate() in main(), at main.c: 152
If the realloc() in this call stack fails, It will make the variable
VBITSET_WORDS (src) become NULL. And then, the program executes the instruction
memset (VBITSET_WORDS (src) + oldsize, 0, (newsize - oldsize) * sizeof
(bitset_word)). So a crash occur because the program memset a buffer that begin
at NULL.
Environment:
Version: Bison 3.4
OS: Ubuntu 18.04
Addition:
This bug is found by my fuzzing tool and can be triggered at runtime.
顺颂时祺!
Zu-Ming Jiang (江祖铭)
Department of Computer Science and Technology
Tsinghua University, Beijing, 100084, China
Email: address@hidden
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- Null-Dereference bug in vector.c,
江 祖铭 <=