Fix a longstanding bug, from Otto Moerbeck:

if we're reducing a rule that has an empty right hand side and the yacc stackpointer is pointing at the very end of the allocated stack, we end up accessing the stack out of bounds by the implicit $$ = $1 action Obtained from: OpenBSD
2008-07-18 15:05:14 +00:00 · 2008-07-18 15:05:14 +00:00 · 08fb11c891
commit 08fb11c891
parent 1f1d4ebf9a
1 changed files with 5 additions and 1 deletions
--- a/usr.bin/yacc/skeleton.c
+++ b/usr.bin/yacc/skeleton.c
@ -60,6 +60,7 @@ __FBSDID("$FreeBSD$");
 const char *banner[] =
 {
    "#include <stdlib.h>",
+    "#include <string.h>",
    "#ifndef lint",
    "#ifdef __unused",
    "__unused",
@ -331,7 +332,10 @@ const char *body[] =
    "                YYPREFIX, yystate, yyn, yyrule[yyn]);",
    "#endif",
    "    yym = yylen[yyn];",
-    "    yyval = yyvsp[1-yym];",
+    "    if (yym)",
+    "        yyval = yyvsp[1-yym];",
+    "    else",
+    "    memset(&yyval, 0, sizeof yyval);",
    "    switch (yyn)",
    "    {",
    0