Segfault with PHP and bison 1.875

Bug #25770	Segfault with PHP and bison 1.875
Submitted:	2003-10-07 03:11 UTC	Modified:	2003-10-07 06:02 UTC
From:	eggert at gnu dot org	Assigned:	helly (profile)
Status:	Closed	Package:	Reproducible crash
PHP Version:	4.3.4RC1	OS:	*
Private report:	No	CVE-ID:	None

[2003-10-07 03:11 UTC] eggert at gnu dot org

Description:
------------
PHP segfaults if it's built with Bison 1.875 or later.
This turns out to be a portability bug in Zend/zend_ini_parser.y.

That grammar uses the character constant '\0' as a token.
POSIX says that the behavior is undefined in this case.
See <http://www.opengroup.org/onlinepubs/007904975/utilities/yacc.html>,
section "Lexical Structure of the Grammar", which says "The
application shall ensure that the NUL character is not used in grammar
rules or literals."  This prohibits grammars from using '\0' tokens.

I suspect that earlier versions of Bison silently ignored any grammar
rules containing '\0' tokens, but newer versions cause them to make
the parser dump core.  Both behaviors conform to POSIX, but obviously
it'd be better if Bison issues a diagnostic when it sees such tokens.
I'll install a fix to Bison to do that.

Here is a patch to PHP to fix the PHP bug.  This patch is relative to
php5, but the bug is php4 as well.  Can you please arrange for this
fix to be installed, or let me know the proper bug-reporting
procedure?  Thanks.

2003-10-06  Paul Eggert  <eggert@twinsun.com>

        * Zend/zend_ini_parser.y:
          This patch also fixes PHP bug #21159.

Index: Zend/zend_ini_parser.y
===================================================================
RCS file: /repository/ZendEngine2/zend_ini_parser.y,v
retrieving revision 1.24
diff -p -u -r1.24 zend_ini_parser.y
--- Zend/zend_ini_parser.y      10 Jun 2003 20:03:25 -0000      1.24
+++ Zend/zend_ini_parser.y      7 Oct 2003 06:55:36 -0000
@@ -213,7 +213,6 @@ string_or_value:
        |       CFG_TRUE { $$ = $1; }
        |       CFG_FALSE { $$ = $1; }
        |       '\n' { $$.value.str.val = strdup(""); $$.value.str.len=0; $$.type = IS_STRING; }
-       |       '\0' { $$.value.str.val = strdup(""); $$.value.str.len=0; $$.type = IS_STRING; }
 ;

 expr:

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2003-10-07 06:02 UTC] helly@php.net

This bug has been fixed in CVS.

In case this was a PHP problem, snapshots of the sources are packaged
every three hours; this change will be in the next snapshot. You can
grab the snapshot at http://snaps.php.net/.
 
In case this was a documentation problem, the fix will show up soon at
http://www.php.net/manual/.

In case this was a PHP.net website problem, the change will show
up on the PHP.net site and on the mirror sites in short time.
 
Thank you for the report, and for helping us make PHP better.