Avoid undefined behavior that accessed just before the start of an array.

* src/reader.c (packgram): Prepend a new sentinel before ritem.
* src/lalr.c (build_relations): Rely on new sentinel.
* src/gram.c (gram_free): Adjust to new sentinel.

diff --git a/ChangeLog b/ChangeLog
index f4f413efbe4ae8da2c4dec9aa1065f38273b3f0b..4448b67efeed18e376299b788858c30a33c2a5c4 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2006-01-18  Paul Eggert  <eggert@cs.ucla.edu>
+
+       Avoid undefined behavior that accessed just before the start of an
+       array.  Problem reported by twlevo.
+       * src/reader.c (packgram): Prepend a new sentinel before ritem.
+       * src/lalr.c (build_relations): Rely on new sentinel.
+       * src/gram.c (gram_free): Adjust to new sentinel.
+
 2006-01-12  Joel E. Denny  <jdenny@ces.clemson.edu>
 
        * data/glr.c (yyGLRStateSet): Rename yylookaheadStatuses to

diff --git a/src/gram.c b/src/gram.c
index d6857369e1a43c7cb857e6ea5165f433e3113ff1..28666b0c8cf4521770adabf08869257ea18c5fb4 100644 (file)
--- a/src/gram.c
+++ b/src/gram.c
@@ -1,6 +1,6 @@
 /* Allocate input grammar variables for Bison.
 
-   Copyright (C) 1984, 1986, 1989, 2001, 2002, 2003, 2005 Free
+   Copyright (C) 1984, 1986, 1989, 2001, 2002, 2003, 2005, 2006 Free
    Software Foundation, Inc.
 
    This file is part of Bison, the GNU Compiler Compiler.
@@ -325,7 +325,8 @@ grammar_rules_never_reduced_report (const char *message)
 void
 grammar_free (void)
 {
-  free (ritem);
+  if (ritem)
+    free (ritem - 1);
   free (rules);
   free (token_translations);
   /* Free the symbol table data structure.  */

diff --git a/src/lalr.c b/src/lalr.c
index e0fae49f712eb5e261bd7799cd7c2a8ccdfb97b7..5c162b50d35f606cffb968d680f66bcfb291c399 100644 (file)
--- a/src/lalr.c
+++ b/src/lalr.c
@@ -1,7 +1,7 @@
 /* Compute look-ahead criteria for Bison.
 
-   Copyright (C) 1984, 1986, 1989, 2000, 2001, 2002, 2003, 2004, 2005
-   Free Software Foundation, Inc.
+   Copyright (C) 1984, 1986, 1989, 2000, 2001, 2002, 2003, 2004, 2005,
+   2006 Free Software Foundation, Inc.
 
    This file is part of Bison, the GNU Compiler Compiler.
 
@@ -247,11 +247,11 @@ build_relations (void)
        {
          bool done;
          int length = 1;
-         item_number *rp;
+         item_number const *rp;
          state *s = states[from_state[i]];
          states1[0] = s->number;
 
-         for (rp = (*rulep)->rhs; *rp >= 0; rp++)
+         for (rp = (*rulep)->rhs; ! item_number_is_rule_number (*rp); rp++)
            {
              s = transitions_to (s->transitions,
                                  item_number_as_symbol_number (*rp));
@@ -266,9 +266,11 @@ build_relations (void)
          while (!done)
            {
              done = true;
+             /* Each rhs ends in an item number, and there is a
+                sentinel before the first rhs, so it is safe to
+                decrement RP here.  */
              rp--;
-             /* JF added rp>=ritem &&   I hope to god its right! */
-             if (rp >= ritem && ISVAR (*rp))
+             if (ISVAR (*rp))
                {
                  /* Downcasting from item_number to symbol_number.  */
                  edge[nedges++] = map_goto (states1[--length],

diff --git a/src/reader.c b/src/reader.c
index f2370a989b7d164e813230097a052bd5633377d3..101cd944f290b527a8119f5b011c0d4d730fe370 100644 (file)
--- a/src/reader.c
+++ b/src/reader.c
@@ -418,7 +418,11 @@ packgram (void)
   rule_number ruleno = 0;
   symbol_list *p = grammar;
 
-  ritem = xnmalloc (nritems, sizeof *ritem);
+  ritem = xnmalloc (nritems + 1, sizeof *ritem);
+
+  /* This sentinel is used by build_relations in gram.c.  */
+  *ritem++ = 0;
+
   rules = xnmalloc (nrules, sizeof *rules);
 
   while (p)