scanner: don't crash on strings containing a NUL byte

We crash if the input contains a string containing a NUL byte. Reported by Suhwan Song. https://lists.gnu.org/r/bug-bison/2020-07/msg00051.html * src/flex-scanner.h (STRING_FREE): Avoid accidental use of last_string. * src/scan-gram.l: Don't call STRING_FREE without calling STRING_FINISH first. * tests/input.at (Invalid inputs): Check that case.
2026-03-09 20:33:03 +00:00 · 2020-07-28 18:51:30 +02:00
parent 6accee7716
commit be95a4fe29
4 changed files with 50 additions and 12 deletions
--- a/src/flex-scanner.h
+++ b/src/flex-scanner.h
@@ -112,7 +112,15 @@ static struct obstack obstack_for_string;
 # define STRING_1GROW(Char)                     \
  obstack_1grow (&obstack_for_string, Char)

-# define STRING_FREE()                                  \
+# ifdef NDEBUG
+#  define STRING_FREE()                                 \
  obstack_free (&obstack_for_string, last_string)
+# else
+#  define STRING_FREE()                                  \
+  do {                                                   \
+    obstack_free (&obstack_for_string, last_string);     \
+    last_string = NULL;                                  \
+  } while (0)
+#endif

 #endif
--- a/src/scan-gram.l
+++ b/src/scan-gram.l
@@ -403,6 +403,7 @@ eqopt    ({sp}=)?
 {
  \0         {
    complain (loc, complaint, _("invalid null character"));
+    STRING_FINISH ();
    STRING_FREE ();
    return GRAM_error;
  }
@@ -599,7 +600,6 @@ eqopt    ({sp}=)?
    STRING_FINISH ();
    BEGIN INITIAL;
    loc->start = token_start;
-    val->CHAR = last_string[0];

    if (last_string[0] == '\0')
      {
@@ -615,6 +615,7 @@ eqopt    ({sp}=)?
      }
    else
      {
+        val->CHAR = last_string[0];
        STRING_FREE ();
        return CHAR;
      }