The maintainers of bison: Hello. I am Zu-Ming Jiang, a master student at Tsinghua University
I find a null dereference bug in vector.c Describe the bug: the realloc() in the call stack shown below may fail: #1 Call realloc() in vbitset_resize(), at vector.c: 77 #2 Call vbitset_resize() in vbitset_init(), at bitset.c: 989 #3 Call vbitset_init() in bitset_init(), at bitset.c: 88 #4 Call bitset_init() in bitset_alloc(), at bitset.c: 138 #5 Call bitset_alloc() in bitset_create(), at bitset.c: 163 #6 Call bitset_create() in pack_table(), at table.c: 727 #7 Call pack_table() in tables_generate(), at table.c: 802 #8 Call tables_generate() in main(), at main.c: 152 If the realloc() in this call stack fails, It will make the variable VBITSET_WORDS (src) become NULL. And then, the program executes the instruction memset (VBITSET_WORDS (src) + oldsize, 0, (newsize - oldsize) * sizeof (bitset_word)). So a crash occur because the program memset a buffer that begin at NULL. Environment: Version: Bison 3.4 OS: Ubuntu 18.04 Addition: This bug is found by my fuzzing tool and can be triggered at runtime. 顺颂时祺! Zu-Ming Jiang (江祖铭) Department of Computer Science and Technology Tsinghua University, Beijing, 100084, China Email: jjzum...@outlook.com