From e9ad4aeca53f9e96dd72821c96d25e3ee2a3a2e8 Mon Sep 17 00:00:00 2001
From: Paul Eggert <eggert@cs.ucla.edu>
Date: Wed, 18 Jan 2006 23:48:29 +0000
Subject: [PATCH] Avoid undefined behavior that accessed just before the start
 of an array. * src/reader.c (packgram): Prepend a new sentinel before ritem.
 * src/lalr.c (build_relations): Rely on new sentinel. * src/gram.c
 (gram_free): Adjust to new sentinel.

---
 ChangeLog    |  8 ++++++++
 src/gram.c   |  5 +++--
 src/lalr.c   | 14 ++++++++------
 src/reader.c |  6 +++++-
 4 files changed, 24 insertions(+), 9 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index f4f413ef..4448b67e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2006-01-18  Paul Eggert  <eggert@cs.ucla.edu>
+
+	Avoid undefined behavior that accessed just before the start of an
+	array.  Problem reported by twlevo.
+	* src/reader.c (packgram): Prepend a new sentinel before ritem.
+	* src/lalr.c (build_relations): Rely on new sentinel.
+	* src/gram.c (gram_free): Adjust to new sentinel.
+
 2006-01-12  Joel E. Denny  <jdenny@ces.clemson.edu>
 
 	* data/glr.c (yyGLRStateSet): Rename yylookaheadStatuses to
diff --git a/src/gram.c b/src/gram.c
index d6857369..28666b0c 100644
--- a/src/gram.c
+++ b/src/gram.c
@@ -1,6 +1,6 @@
 /* Allocate input grammar variables for Bison.
 
-   Copyright (C) 1984, 1986, 1989, 2001, 2002, 2003, 2005 Free
+   Copyright (C) 1984, 1986, 1989, 2001, 2002, 2003, 2005, 2006 Free
    Software Foundation, Inc.
 
    This file is part of Bison, the GNU Compiler Compiler.
@@ -325,7 +325,8 @@ grammar_rules_never_reduced_report (const char *message)
 void
 grammar_free (void)
 {
-  free (ritem);
+  if (ritem)
+    free (ritem - 1);
   free (rules);
   free (token_translations);
   /* Free the symbol table data structure.  */
diff --git a/src/lalr.c b/src/lalr.c
index e0fae49f..5c162b50 100644
--- a/src/lalr.c
+++ b/src/lalr.c
@@ -1,7 +1,7 @@
 /* Compute look-ahead criteria for Bison.
 
-   Copyright (C) 1984, 1986, 1989, 2000, 2001, 2002, 2003, 2004, 2005
-   Free Software Foundation, Inc.
+   Copyright (C) 1984, 1986, 1989, 2000, 2001, 2002, 2003, 2004, 2005,
+   2006 Free Software Foundation, Inc.
 
    This file is part of Bison, the GNU Compiler Compiler.
 
@@ -247,11 +247,11 @@ build_relations (void)
 	{
 	  bool done;
 	  int length = 1;
-	  item_number *rp;
+	  item_number const *rp;
 	  state *s = states[from_state[i]];
 	  states1[0] = s->number;
 
-	  for (rp = (*rulep)->rhs; *rp >= 0; rp++)
+	  for (rp = (*rulep)->rhs; ! item_number_is_rule_number (*rp); rp++)
 	    {
 	      s = transitions_to (s->transitions,
 				  item_number_as_symbol_number (*rp));
@@ -266,9 +266,11 @@ build_relations (void)
 	  while (!done)
 	    {
 	      done = true;
+	      /* Each rhs ends in an item number, and there is a
+		 sentinel before the first rhs, so it is safe to
+		 decrement RP here.  */
 	      rp--;
-	      /* JF added rp>=ritem &&   I hope to god its right! */
-	      if (rp >= ritem && ISVAR (*rp))
+	      if (ISVAR (*rp))
 		{
 		  /* Downcasting from item_number to symbol_number.  */
 		  edge[nedges++] = map_goto (states1[--length],
diff --git a/src/reader.c b/src/reader.c
index f2370a98..101cd944 100644
--- a/src/reader.c
+++ b/src/reader.c
@@ -418,7 +418,11 @@ packgram (void)
   rule_number ruleno = 0;
   symbol_list *p = grammar;
 
-  ritem = xnmalloc (nritems, sizeof *ritem);
+  ritem = xnmalloc (nritems + 1, sizeof *ritem);
+
+  /* This sentinel is used by build_relations in gram.c.  */
+  *ritem++ = 0;
+
   rules = xnmalloc (nrules, sizeof *rules);
 
   while (p)
-- 
2.47.2