Hi bison maintainers, we have found a NULL pointer dereference and would like to report this issue. Could you confirm if this qualifies as a bug? I am happy to provide any additional information needed.
## Summary Using the -T option causes a crash due to NULL pointer dereference. ## Details - Vulnerability Type: NULL Pointer Dereference ## Reproduction ### Tested Environment - OS: Ubuntu 24.04.3 LTS - arch: x86_64 - CC: gcc 14.2.0 - glibc: 2.39 ### Reproduction Steps The .y file should contain any grammar rules. ```bash wget https://ftp.gnu.org/gnu/bison/bison-3.8.2.tar.gz cd bison-3.8.2 ./configure CC=gcc CFLAGS="-g -fsanitize=address" --prefix=/tmp/bison-3.8.2/build_asan make make install ./build_asan/bin/bison -T ./examples/c/calc/calc.y ``` ## Output ``` ================================================================= ==2034209==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x725dd0b8b75d bp 0x7ffcea8e4350 sp 0x7ffcea8e4328 T0) ==2034209==The signal is caused by a READ memory access. ==2034209==Hint: address points to the zero page. #0 0x725dd0b8b75d in __strlen_avx2 ../sysdeps/x86_64/multiarch/strlen-avx2.S:76 #1 0x725dd0a917c9 in __GI___fputs_unlocked libio/iofputs_u.c:34 #2 0x6507354d6a05 in yy_symbol_value_print src/parse-gram.y:244 #3 0x6507354d72fd in yy_symbol_print src/parse-gram.c:1392 #4 0x6507354df96f in gram_parse src/parse-gram.c:2966 #5 0x6507354fab62 in reader src/reader.c:766 #6 0x6507354a300c in main src/main.c:118 #7 0x725dd0a2a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 #8 0x725dd0a2a28a in __libc_start_main_impl ../csu/libc-start.c:360 #9 0x650735458594 in _start (/tmp/bison-3.8.2/build_asan/bin/bison+0x36594) (BuildId: 723f38c6341d2ea7c8fb2425690cc799924e2171) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV ../sysdeps/x86_64/multiarch/strlen-avx2.S:76 in __strlen_avx2 ``` ## Root Cause 1. At locations that allow empty values (like tag.opt in src/parse-gram.c:2550), when the input is empty, the stored value becomes NULL (in this case, yyval.yykind_76). 2. When the -T command line argument is present (src/parse-gram.c:2996), debug information displays the input values. 3. When the input is empty (src/parse-gram.c:1236), NULL is passed as the first argument to fputs, causing a crash. ## Proposed Fix Modified src/parse-gram.y to add null checks for values that allow empty input. ```diff --- src/parse-gram.y.old 2025-09-05 13:40:52.350286200 +0900 +++ src/parse-gram.y 2025-09-05 13:40:56.292358851 +0900 @@ -234,14 +234,14 @@ %printer { fputs (char_name ($$), yyo); } <unsigned char> %type <char*> "{...}" "%?{...}" "%{...%}" EPILOGUE STRING TSTRING -%printer { fputs ($$, yyo); } <char*> +%printer { fputs ($$?$$:"<NULL>", yyo); } <char*> %type <uniqstr> BRACKETED_ID ID ID_COLON PERCENT_ERROR_VERBOSE PERCENT_FILE_PREFIX PERCENT_FLAG PERCENT_NAME_PREFIX PERCENT_PURE_PARSER TAG tag tag.opt variable -%printer { fputs ($$, yyo); } <uniqstr> +%printer { fputs ($$?$$:"<NULL>", yyo); } <uniqstr> %printer { fprintf (yyo, "[%s]", $$); } BRACKETED_ID %printer { fprintf (yyo, "%s:", $$); } ID_COLON %printer { fprintf (yyo, "%%%s", $$); } PERCENT_FLAG ```
