antlr4 icon indicating copy to clipboard operation
antlr4 copied to clipboard

Published 20 hours ago verified publisher icon antlr

Possible Null Pointer Dereference in ParserATNSimulator.java

Open Sawraz-OpenRef opened this issue 1 year ago • 0 comments

What happened?

In file: ParserATNSimulator.java, there is a potential case of null pointer dereference. In method computeTargetState() inside class ParserATNSimulator, there is a call to predicateDFAState(). This method call passes two parameters, one of which is an object of DecisionState class. Now, this DecisionState object is retrieved by calling atn.getDecisionState(dfa.decision). Here, atn is an object of class ATN.

if ( D.isAcceptState && D.configs.hasSemanticContext ) {
	predicateDFAState(D, atn.getDecisionState(dfa.decision));
	if (D.predicates != null) {
		D.prediction = ATN.INVALID_ALT_NUMBER;
	}
}

Then getNumberOfTransitions() method is invoked on the supposedly passed DecisionState object.

protected void predicateDFAState(DFAState dfaState, DecisionState decisionState) {
	// We need to test all predicates, even in DFA states that
	// uniquely predict alternative.
	int nalts = decisionState.getNumberOfTransitions();
        ................
}

But getDecisionState() method of class ATN can return null under a certain condition, if decisionToState.isEmpty() is true.

public DecisionState getDecisionState(int decision) {
        if ( !decisionToState.isEmpty() ) {
            return decisionToState.get(decision);
        }
        return null;
    }

If it happens, then it will cause NullPointerException in this call.

It is not immediately clear whether decisionToState.isEmpty() would always be false for getDecisionState() call in computeTargetState() method. If that is indeed the case, you may choose to ignore this issue.

Sponsorship and Support:

This work is done by the security researchers from OpenRefactory and is supported by the Open Source Security Foundation (OpenSSF): Project Alpha-Omega. Alpha-Omega is a project partnering with open source software project maintainers to systematically find new, as-yet-undiscovered vulnerabilities in open source code - and get them fixed - to improve global software supply chain security.

The bug is found by running the iCR tool by OpenRefactory, Inc. and then manually triaging the results.

Sawraz-OpenRef avatar Oct 29 '24 07:10 Sawraz-OpenRef