Hello,
In parsers generated by Bison, the function yysyntax_error() uses its
yytoken argument to dereference an array before later testing whether
it's equal to YYEMPTY (a.k.a. -2):
yysyntax_error (YYSIZE_T *yymsg_alloc, char **yymsg,
yytype_int16 *yyesa, yytype_int16 **yyes,
YYSIZE_T *yyes_capacity, yytype_int16 *yyssp, int yytoken)
{
YYSIZE_T yysize0 = yytnamerr (YY_NULL, yytname[yytoken]);
[...]
if (yytoken != YYEMPTY)
{
If yytoken can be == YYEMPTY when this is called, it will underflow the
yytname[] array in the initialier for yysize0. The immediate callers of
yysyntax_error() seem to allow for the possibility that yytoken ==
YYEMPTY, but I haven't dug any deeper.
I found this using STACK (http://css.csail.mit.edu/stack/) to scan
another project that uses Bison to generate its parsers, but the
generated code can be seen in the Bison sources themselves, as
src/parse-gram.c.
I used Bison 2.5 (as shipped in debian wheezy), and also today's master
branch (a7280757105b2909f6a58fdd1c582de8e278319a), on x86_64 debian
wheezy on linux 3.2.35.
Thanks,
Tim.
--
Tim Deegan <[email protected]>
Who's the jaunty jackanapes with moxie and pizzazz?
It's the Sneak! It's the Sneak!
[ homestarrunner.com, "The Ballad of The Sneak" ]
