Fix an venerable bug: if we're reducing a rule that has an empty

right hand side and the yacc stackpointer is pointing at the very
end of the allocated stack, we end up accessing the stack out of
bounds by the implicit $$ = $1 action.  Detected by my new malloc,
experienced by sturm@ on sparc64; ok deraadt@

1 files changed, 7 insertions, 3 deletions

diff --git a/usr.bin/yacc/skeleton.c b/usr.bin/yacc/skeleton.c
index 2b1739f2697..082ae29d39d 100644
--- a/usr.bin/yacc/skeleton.c
+++ b/usr.bin/yacc/skeleton.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: skeleton.c,v 1.28 2007/09/03 21:14:58 deraadt Exp $	*/
+/*	$OpenBSD: skeleton.c,v 1.29 2008/07/08 15:06:50 otto Exp $	*/
 /*	$NetBSD: skeleton.c,v 1.10 1996/03/25 00:36:18 mrg Exp $	*/
 
 /*
@@ -63,9 +63,10 @@ char *banner[] =
     "#if __GNUC__ >= 2",
     "  __attribute__ ((unused))",
     "#endif /* __GNUC__ >= 2 */",
-    "  = \"$OpenBSD: skeleton.c,v 1.28 2007/09/03 21:14:58 deraadt Exp $\";",
+    "  = \"$OpenBSD: skeleton.c,v 1.29 2008/07/08 15:06:50 otto Exp $\";",
     "#endif",
     "#include <stdlib.h>",
+    "#include <string.h>",
     "#define YYBYACC 1",
     "#define YYMAJOR 1",
     "#define YYMINOR 9",
@@ -346,7 +347,10 @@ char *body[] =
     "                YYPREFIX, yystate, yyn, yyrule[yyn]);",
     "#endif",
     "    yym = yylen[yyn];",
-    "    yyval = yyvsp[1-yym];",
+    "    if (yym)",
+    "        yyval = yyvsp[1-yym];",
+    "    else",
+    "        memset(&yyval, 0, sizeof yyval);",
     "    switch (yyn)",
     "    {",
     0