[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Out of bounds read in parse.y.
|
From: |
Chet Ramey |
|
Subject: |
Re: Out of bounds read in parse.y. |
|
Date: |
Tue, 27 Aug 2024 10:33:16 -0400 |
|
User-agent: |
Mozilla Thunderbird |
On 8/27/24 12:41 AM, Collin Funk wrote:
Hi,
When compiling with undefined behavior sanitizer and then running:
Which version?
$ ./bash
parse.y:1000:93: runtime error: index -1 out of bounds for type 'int [257]'
Please send a reproducer.
The offending section of code:
case_command: CASE WORD newline_list IN newline_list ESAC
{
$$ = make_case_command ($2, (PATTERN_LIST *)NULL,
word_lineno[word_top]);
if (word_top >= 0) word_top--;
}
| CASE WORD newline_list IN case_clause_sequence newline_list ESAC
{
/* Access of word_lineno[word_top] causes bad read.
*/
$$ = make_case_command ($2, $5,
word_lineno[word_top]);
if (word_top >= 0) word_top--;
}
And the definition of word top and word_lineno:
#define MAX_COMPOUND_NEST 256
static int word_lineno[MAX_COMPOUND_NEST+1];
static int word_top = -1;
The value of word_top appears to only be set in 'set_word_top':
static inline int
set_word_top (int t)
{
switch (t)
{
case CASE:
case SELECT:
case FOR:
case IF:
case WHILE:
case UNTIL:
if (word_top < MAX_COMPOUND_NEST)
word_top++;
word_lineno[word_top] = line_number;
break;
default:
break;
}
return word_top;
}
Shouldn't all the decrements of word_top be protected by:
if (word_top > 0) word_top--;
instead of:
if (word_top >= 0) word_top--;
Why? 0 is a valid index. set_word_top increments word_top before assigning
to word_lineno[word_top].
Or is there something more complicated that I am missing here?
I suspect there is a decrement that isn't matched by a call to
set_word_top(). But a reproducer would help, otherwise we're all just
guessing.
--
``The lyf so short, the craft so long to lerne.'' - Chaucer
``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, UTech, CWRU chet@case.edu http://tiswww.cwru.edu/~chet/