bug-bison
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Double free in Bison

From: Akim Demaille
Subject: Re: Double free in Bison
Date: Sat, 7 Sep 2019 18:18:45 +0200 
Hi Marc!

> Le 6 sept. 2019 à 09:09, Marc Schönefeld <address@hidden> a écrit :
> 
> Hi Akim, 
>  
> just encountered a problem with the current 3.4.1 download, which triggers an 
> assertion condition instead of returning with a normal error return code. 
> This undefined behavior may cause DoS-Problems for certain environments: 
>  
> bison  abort.y
> abort.y:27.10-22: Warnung: Symbol "end-of-line" wird mehr als einmal als 
> literale Zeichenkette benutzt [-Wother]
>    27 |   EOF 0  "end-of-line"
>       |          ^~~~~~~~~~~~~
> abort.y:28.3-5: Warnung: Symbol EOF noch einmal deklariert [-Wother]
>    28 |   EOF 0  "end-of-file"
>       |   ^~~
> bison: src/reader.c:839: check_and_convert_grammar: Zusicherung »nsyms == 
> ntokens + nvars« nicht erfüllt.
> Abgebrochen (Speicherabzug geschrieben)
>  
> (gdb) bt
> #0  0x00007fffff065428 in __GI_raise (sig=sig@entry=6) at 
> ../sysdeps/unix/sysv/linux/raise.c:54
> #1  0x00007fffff06702a in __GI_abort () at abort.c:89
> #2  0x00007fffff05dbd7 in __assert_fail_base (fmt=<optimized out>, 
> assertion=assertion@entry=0x451a69 "nsyms == ntokens + nvars",
>     file=file@entry=0x451a5c "src/reader.c", line=line@entry=839,
>     function=function@entry=0x451b90 <__PRETTY_FUNCTION__.6797> 
> "check_and_convert_grammar") at assert.c:92
> #3  0x00007fffff05dc82 in __GI___assert_fail 
> (assertion=assertion@entry=0x451a69 "nsyms == ntokens + nvars",
>     file=file@entry=0x451a5c "src/reader.c", line=line@entry=839,
>     function=function@entry=0x451b90 <__PRETTY_FUNCTION__.6797> 
> "check_and_convert_grammar") at assert.c:101
> #4  0x0000000000423c88 in check_and_convert_grammar () at src/reader.c:839
> #5  reader () at src/reader.c:741
> #6  0x00000000004026ac in main (argc=2, argv=0x7ffffffede18) at src/main.c:104
> (gdb)

Good catch!  This bug happens only when you define twice the EOF token 
(numbered 0).

I'm installing this.  Thanks!

commit 7d701f43789ab0f6150f0efb47904486a330e010
Author: Akim Demaille <address@hidden>
Date:   Sat Sep 7 16:32:20 2019 +0200

    fix: don't die when EOF token is defined twice
    
    With
    
        %token EOF 0 EOF 0
    
    we get
    
        input.y:3.14-16: warning: symbol EOF redeclared [-Wother]
            3 | %token EOF 0 EOF 0
              |              ^~~
        input.y:3.8-10: previous declaration
            3 | %token EOF 0 EOF 0
              |        ^~~
        Assertion failed: (nsyms == ntokens + nvars), function 
check_and_convert_grammar,
            file /Users/akim/src/gnu/bison/src/reader.c, line 839.
    
    Reported by Marc Schönefeld.
    
    * src/symtab.c (symbol_user_token_number_set): Register only the
    first definition of the end of input token.
    * tests/input.at (Symbol redeclared): Check that case.

diff --git a/THANKS b/THANKS
index a0e3af66..2df6763c 100644
--- a/THANKS
+++ b/THANKS
@@ -100,6 +100,7 @@ Lie Yan                   address@hidden
 Magnus Fromreide          address@hidden
 Marc Autret               address@hidden
 Marc Mendiola             address@hidden
+Marc Schönefeld           address@hidden
 Mark Boyall               address@hidden
 Martin Jacobs             address@hidden
 Martin Mokrejs            address@hidden
diff --git a/src/symtab.c b/src/symtab.c
index 684fdf3d..7b0439ad 100644
--- a/src/symtab.c
+++ b/src/symtab.c
@@ -495,7 +495,7 @@ symbol_user_token_number_set (symbol *sym, int 
user_token_number, location loc)
     {
       *user_token_numberp = user_token_number;
       /* User defined $end token? */
-      if (user_token_number == 0)
+      if (user_token_number == 0 && !endtoken)
         {
           endtoken = sym->content->symbol;
           /* It is always mapped to 0, so it was already counted in
diff --git a/tests/input.at b/tests/input.at
index 660cacc9..40d6757a 100644
--- a/tests/input.at
+++ b/tests/input.at
@@ -624,7 +624,7 @@ AT_SETUP([Symbol redeclared])
 AT_DATA([[input.y]],
 [[%token FOO FOO
 %token BAR 12 BAR 12
-
+%token EOF 0 EOF 0
 %%
 exp: FOO BAR
 ]])
@@ -642,6 +642,12 @@ input.y:2.15-17: warning: symbol BAR redeclared [-Wother]
 input.y:2.8-10: previous declaration
     2 | %token BAR 12 BAR 12
       |        ^~~
+input.y:3.14-16: warning: symbol EOF redeclared [-Wother]
+    3 | %token EOF 0 EOF 0
+      |              ^~~
+input.y:3.8-10: previous declaration
+    3 | %token EOF 0 EOF 0
+      |        ^~~
 ]])
 
 AT_CLEANUP
reply via email to
[Prev in Thread] Current Thread [Next in Thread]