Quick patch to the Lemon parser template to avoid an array overread reported

by OSSFuzz.  A proper fix involves enhancements to the table generators in
Lemon to make the overread impossible.  That fix will take longer to
implement.  The current check-in is a stop-gap.

FossilOrigin-Name: 3f6730be4cb712a28401be6d96e56ccb3f2e98dd8961b477befec3f363715178

diff --git a/manifest b/manifest
index b0146233a3728ac25fb507c2749e4ae2a2f5645f..8e9fbfd62c5d04a64f509413e96a4bdce170a39c 100644 (file)
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Avoid\sa\swarning\sin\sfts5.c\sdue\sto\snot\susing\sgenerated\sroutine\nsqlite3Fts5ParserFallback().
-D 2018-06-30T20:26:52.878
+C Quick\spatch\sto\sthe\sLemon\sparser\stemplate\sto\savoid\san\sarray\soverread\sreported\nby\sOSSFuzz.\s\sA\sproper\sfix\sinvolves\senhancements\sto\sthe\stable\sgenerators\sin\nLemon\sto\smake\sthe\soverread\simpossible.\s\sThat\sfix\swill\stake\slonger\sto\nimplement.\s\sThe\scurrent\scheck-in\sis\sa\sstop-gap.
+D 2018-07-01T16:05:40.758
 F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1
 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea
 F Makefile.in 0a3a6c81e6fcb969ff9106e882f0a08547014ba463cb6beca4c4efaecc924ee6
@@ -1664,7 +1664,7 @@ F tool/genfkey.test 4196a8928b78f51d54ef58e99e99401ab2f0a7e5
 F tool/getlock.c f4c39b651370156cae979501a7b156bdba50e7ce
 F tool/kvtest-speed.sh 4761a9c4b3530907562314d7757995787f7aef8f
 F tool/lemon.c 33892e2a243865f73e6c6e7cecce3c6eb4bb95db4a3d9d86d146c8064feb92fd
-F tool/lempar.c 6f64bc81160495f93d0f2ae27c787cb7cf4d5c7f5d2abf3823bc878ded6d6293
+F tool/lempar.c a6ebc2024f2d3ab90b93b4ea8bb39b4a320e7a4a4268e1fdef8ae45e8e714593
 F tool/libvers.c caafc3b689638a1d88d44bc5f526c2278760d9b9
 F tool/loadfts.c c3c64e4d5e90e8ba41159232c2189dba4be7b862
 F tool/logest.c 11346aa019e2e77a00902aa7d0cabd27bd2e8cca
@@ -1744,7 +1744,7 @@ F vsixtest/vsixtest.tcl 6a9a6ab600c25a91a7acc6293828957a386a8a93
 F vsixtest/vsixtest.vcxproj.data 2ed517e100c66dc455b492e1a33350c1b20fbcdc
 F vsixtest/vsixtest.vcxproj.filters 37e51ffedcdb064aad6ff33b6148725226cd608e
 F vsixtest/vsixtest_TemporaryKey.pfx e5b1b036facdb453873e7084e1cae9102ccc67a0
-P 17198a1206e2fbc9e555881468e8c6980b00e25b5b78a6798a6264ca7384f1ca
-R ebb046d75f3c51ba97ee728039ef9b02
-U dan
-Z 8fbb7dd79d8c07df0e6632e04176732a
+P 65ff5144a55f1ba2b2ef812a0c988fa2522441177038b8d686eb1d0c558c75d5
+R 3c4f5fbed7f648d733dce0ff7eec4d29
+U drh
+Z d7489229aa03ad09a6b5a39009aab4a6

diff --git a/manifest.uuid b/manifest.uuid
index 4801fda84b8455d8ae837ad8453f3def3e4b58f9..e5f644ca5e48a0525d3009ff8d1d8b292ca2fe67 100644 (file)
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-65ff5144a55f1ba2b2ef812a0c988fa2522441177038b8d686eb1d0c558c75d5
\ No newline at end of file
+3f6730be4cb712a28401be6d96e56ccb3f2e98dd8961b477befec3f363715178
\ No newline at end of file

diff --git a/tool/lempar.c b/tool/lempar.c
index 450dcde4bc9b7b5d79372f6ddc7b3cae59116c92..e19aba4d207527544edf04aa6f26135f01b71ed2 100644 (file)
--- a/tool/lempar.c
+++ b/tool/lempar.c
@@ -550,6 +550,7 @@ static YYACTIONTYPE yy_find_shift_action(
 #if YY_SHIFT_MAX+YYWILDCARD>=YY_ACTTAB_COUNT
           j<YY_ACTTAB_COUNT &&
 #endif
+          j<sizeof(yy_lookahead)/sizeof(yy_lookahead[0]) &&
           yy_lookahead[j]==YYWILDCARD && iLookAhead>0
         ){
 #ifndef NDEBUG