1 files changed, 33 insertions, 0 deletions

diff --git a/dev-util/byacc/files/byacc-1.9-CVE-2008-3196.patch b/dev-util/byacc/files/byacc-1.9-CVE-2008-3196.patch
new file mode 100644
index 000000000000..053b3c06b161
--- /dev/null
+++ b/dev-util/byacc/files/byacc-1.9-CVE-2008-3196.patch
@@ -0,0 +1,33 @@
+Tue Jul 8 15:06:50 2008 UTC by otto
+
+Fix an venerable bug: if we're reducing a rule that has an empty
+right hand side and the yacc stackpointer is pointing at the very
+end of the allocated stack, we end up accessing the stack out of
+bounds by the implicit $$ = $1 action.  Detected by my new malloc,
+experienced by sturm@ on sparc64; ok deraadt@
+
+
+Index: yacc-1.9.1/skeleton.c
+===================================================================
+--- yacc-1.9.1.orig/skeleton.c
++++ yacc-1.9.1/skeleton.c
+@@ -18,6 +18,7 @@ char *banner[] =
+     "/*static char yysccsid[] = \"from: @(#)yaccpar	1.9 (Berkeley) 02/21/93\";*/",
+     "static char yyrcsid[] = \"$Id: byacc-1.9-CVE-2008-3196.patch,v 1.1 2008/10/04 18:57:31 rbu Exp $\";",
+     "#endif",
++    "#include <string.h>",
+     "#define YYBYACC 1",
+     "#define YYMAJOR 1",
+     "#define YYMINOR 9",
+@@ -226,7 +227,10 @@ char *body[] =
+     "                YYPREFIX, yystate, yyn, yyrule[yyn]);",
+     "#endif",
+     "    yym = yylen[yyn];",
+-    "    yyval = yyvsp[1-yym];",
++    "    if (yym)",
++    "        yyval = yyvsp[1-yym];",
++    "    else",
++    "        memset(&yyval, 0, sizeof yyval);",
+     "    switch (yyn)",
+     "    {",
+     0