Fix a longstanding bug, from Otto Moerbeck:

if we're reducing a rule that has an empty right hand side and the yacc stackpointer is pointing at the very end of the allocated stack, we end up accessing the stack out of bounds by the implicit $$ = $1 action Obtained from: OpenBSD
author: kevlo <kevlo@FreeBSD.org> 2008-07-18 15:05:14 +0000
committer: kevlo <kevlo@FreeBSD.org> 2008-07-18 15:05:14 +0000
commit: 08fb11c891294fda58b055001bc6846544a5818f (patch)
tree: 77a745c5c286f0d0e6c33a5c57f1d4ca1e38c7cb /usr.bin/yacc
parent: 1f1d4ebf9acae29a6390412a03b9ed72415aa9c8 (diff)
download: FreeBSD-src-08fb11c891294fda58b055001bc6846544a5818f.zip
FreeBSD-src-08fb11c891294fda58b055001bc6846544a5818f.tar.gz
1 files changed, 5 insertions, 1 deletions
diff --git a/usr.bin/yacc/skeleton.c b/usr.bin/yacc/skeleton.c
index f765c91..c1263d9 100644
--- a/usr.bin/yacc/skeleton.c
+++ b/usr.bin/yacc/skeleton.c
@@ -60,6 +60,7 @@ __FBSDID("$FreeBSD$");
 const char *banner[] =
 {
     "#include <stdlib.h>",
+    "#include <string.h>",
     "#ifndef lint",
     "#ifdef __unused",
     "__unused",
@@ -331,7 +332,10 @@ const char *body[] =
     "                YYPREFIX, yystate, yyn, yyrule[yyn]);",
     "#endif",
     "    yym = yylen[yyn];",
-    "    yyval = yyvsp[1-yym];",
+    "    if (yym)",
+    "        yyval = yyvsp[1-yym];",
+    "    else",
+    "    memset(&yyval, 0, sizeof yyval);",
     "    switch (yyn)",
     "    {",
     0
author	kevlo <kevlo@FreeBSD.org>	2008-07-18 15:05:14 +0000
committer	kevlo <kevlo@FreeBSD.org>	2008-07-18 15:05:14 +0000
commit	08fb11c891294fda58b055001bc6846544a5818f (patch)
tree	77a745c5c286f0d0e6c33a5c57f1d4ca1e38c7cb /usr.bin/yacc
parent	1f1d4ebf9acae29a6390412a03b9ed72415aa9c8 (diff)
download	FreeBSD-src-08fb11c891294fda58b055001bc6846544a5818f.zip FreeBSD-src-08fb11c891294fda58b055001bc6846544a5818f.tar.gz