Quick patch to the Lemon parser template to avoid an array overread reported

by OSSFuzz. A proper fix involves enhancements to the table generators in Lemon to make the overread impossible. That fix will take longer to implement. The current check-in is a stop-gap. FossilOrigin-Name: 3f6730be4cb712a28401be6d96e56ccb3f2e98dd8961b477befec3f363715178
2018-07-01 16:05:40 +00:00 · 2018-07-01 16:05:40 +00:00 · 9f607e9c23
commit 9f607e9c23
parent d2ac43ea38
3 changed files with 9 additions and 8 deletions
--- a/14
+++ b/14
@ -1,5 +1,5 @@
-C Avoid\sa\swarning\sin\sfts5.c\sdue\sto\snot\susing\sgenerated\sroutine\nsqlite3Fts5ParserFallback().
-D 2018-06-30T20:26:52.878
+C Quick\spatch\sto\sthe\sLemon\sparser\stemplate\sto\savoid\san\sarray\soverread\sreported\nby\sOSSFuzz.\s\sA\sproper\sfix\sinvolves\senhancements\sto\sthe\stable\sgenerators\sin\nLemon\sto\smake\sthe\soverread\simpossible.\s\sThat\sfix\swill\stake\slonger\sto\nimplement.\s\sThe\scurrent\scheck-in\sis\sa\sstop-gap.
+D 2018-07-01T16:05:40.758
 F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1
 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea
 F Makefile.in 0a3a6c81e6fcb969ff9106e882f0a08547014ba463cb6beca4c4efaecc924ee6
@ -1664,7 +1664,7 @@ F tool/genfkey.test 4196a8928b78f51d54ef58e99e99401ab2f0a7e5
 F tool/getlock.c f4c39b651370156cae979501a7b156bdba50e7ce
 F tool/kvtest-speed.sh 4761a9c4b3530907562314d7757995787f7aef8f
 F tool/lemon.c 33892e2a243865f73e6c6e7cecce3c6eb4bb95db4a3d9d86d146c8064feb92fd
-F tool/lempar.c 6f64bc81160495f93d0f2ae27c787cb7cf4d5c7f5d2abf3823bc878ded6d6293
+F tool/lempar.c a6ebc2024f2d3ab90b93b4ea8bb39b4a320e7a4a4268e1fdef8ae45e8e714593
 F tool/libvers.c caafc3b689638a1d88d44bc5f526c2278760d9b9
 F tool/loadfts.c c3c64e4d5e90e8ba41159232c2189dba4be7b862
 F tool/logest.c 11346aa019e2e77a00902aa7d0cabd27bd2e8cca
@ -1744,7 +1744,7 @@ F vsixtest/vsixtest.tcl 6a9a6ab600c25a91a7acc6293828957a386a8a93
 F vsixtest/vsixtest.vcxproj.data 2ed517e100c66dc455b492e1a33350c1b20fbcdc
 F vsixtest/vsixtest.vcxproj.filters 37e51ffedcdb064aad6ff33b6148725226cd608e
 F vsixtest/vsixtest_TemporaryKey.pfx e5b1b036facdb453873e7084e1cae9102ccc67a0
-P 17198a1206e2fbc9e555881468e8c6980b00e25b5b78a6798a6264ca7384f1ca
-R ebb046d75f3c51ba97ee728039ef9b02
-U dan
-Z 8fbb7dd79d8c07df0e6632e04176732a
+P 65ff5144a55f1ba2b2ef812a0c988fa2522441177038b8d686eb1d0c558c75d5
+R 3c4f5fbed7f648d733dce0ff7eec4d29
+U drh
+Z d7489229aa03ad09a6b5a39009aab4a6
--- a/manifest.uuid
+++ b/manifest.uuid
@ -1 +1 @@
-65ff5144a55f1ba2b2ef812a0c988fa2522441177038b8d686eb1d0c558c75d5
+3f6730be4cb712a28401be6d96e56ccb3f2e98dd8961b477befec3f363715178
--- a/tool/lempar.c
+++ b/tool/lempar.c
@ -550,6 +550,7 @@ static YYACTIONTYPE yy_find_shift_action(
 #if YY_SHIFT_MAX+YYWILDCARD>=YY_ACTTAB_COUNT
          j<YY_ACTTAB_COUNT &&
 #endif
+          j<sizeof(yy_lookahead)/sizeof(yy_lookahead[0]) &&
          yy_lookahead[j]==YYWILDCARD && iLookAhead>0
        ){
 #ifndef NDEBUG