You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2013/12/08 07:56:02 UTC

[Bug 55856] New: YYEMPTY (-2) used as index into yytname (const array of messages)

https://issues.apache.org/bugzilla/show_bug.cgi?id=55856

            Bug ID: 55856
           Summary: YYEMPTY (-2) used as index into yytname (const array
                    of messages)
           Product: Apache httpd-2
           Version: 2.5-HEAD
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Core
          Assignee: bugs@httpd.apache.org
          Reporter: jaredlwong@gmail.com

Created attachment 31101
  --> https://issues.apache.org/bugzilla/attachment.cgi?id=31101&action=edit
The Patch

In server/util_expr_parse.c there is a bug in the handling of yytoken when
yytoken is equal to YYEMPTY. YYEMPTY is set to -2. The only place this
function, yysyntax_error, is used is in yyparse's section for yyerrlab. In
yyerrlab, yytoken is set as:

    yytoken = yychar == YYEMPTY ? YYEMPTY : YYTRANSLATE (yychar);

Clearly, when yysyntax_error is called yytoken may be YYEMPTY. When yytnamerr
is called with the value of yytname[yytoken], it is undefined what will happen.

I have included the patch I think needs to be made below. I'm not completely
sure, however, of this fix. Regardless, this is a bug.

----- patch -----

Index: server/util_expr_parse.c
===================================================================
--- server/util_expr_parse.c    (revision 1548995)
+++ server/util_expr_parse.c    (working copy)
@@ -1054,7 +1054,8 @@
 yysyntax_error (YYSIZE_T *yymsg_alloc, char **yymsg,
                 yytype_int16 *yyssp, int yytoken)
 {
-  YYSIZE_T yysize0 = yytnamerr (YY_NULL, yytname[yytoken]);
+  YYSIZE_T yysize0 = yytoken == YYEMPTY
+    ? 0 : yytnamerr (YY_NULL, yytname[yytoken]);
   YYSIZE_T yysize = yysize0;
   enum { YYERROR_VERBOSE_ARGS_MAXIMUM = 5 };
   /* Internationalized format string. */

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org