Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Possible Null Pointer Dereference in ParserATNSimulator.java #4724

Open
Sawraz-OpenRef opened this issue Oct 29, 2024 · 0 comments
Open

Possible Null Pointer Dereference in ParserATNSimulator.java #4724

Sawraz-OpenRef opened this issue Oct 29, 2024 · 0 comments

Comments

@Sawraz-OpenRef
Copy link

What happened?

In file: ParserATNSimulator.java, there is a potential case of null pointer dereference. In method computeTargetState() inside class ParserATNSimulator, there is a call to predicateDFAState(). This method call passes two parameters, one of which is an object of DecisionState class. Now, this DecisionState object is retrieved by calling atn.getDecisionState(dfa.decision). Here, atn is an object of class ATN.

if ( D.isAcceptState && D.configs.hasSemanticContext ) {
	predicateDFAState(D, atn.getDecisionState(dfa.decision));
	if (D.predicates != null) {
		D.prediction = ATN.INVALID_ALT_NUMBER;
	}
}

Then getNumberOfTransitions() method is invoked on the supposedly passed DecisionState object.

protected void predicateDFAState(DFAState dfaState, DecisionState decisionState) {
	// We need to test all predicates, even in DFA states that
	// uniquely predict alternative.
	int nalts = decisionState.getNumberOfTransitions();
        ................
}

But getDecisionState() method of class ATN can return null under a certain condition, if decisionToState.isEmpty() is true.

public DecisionState getDecisionState(int decision) {
        if ( !decisionToState.isEmpty() ) {
            return decisionToState.get(decision);
        }
        return null;
    }

If it happens, then it will cause NullPointerException in this call.

It is not immediately clear whether decisionToState.isEmpty() would always be false for getDecisionState() call in computeTargetState() method. If that is indeed the case, you may choose to ignore this issue.

Sponsorship and Support:

This work is done by the security researchers from OpenRefactory and is supported by the Open Source Security Foundation (OpenSSF): Project Alpha-Omega. Alpha-Omega is a project partnering with open source software project maintainers to systematically find new, as-yet-undiscovered vulnerabilities in open source code - and get them fixed - to improve global software supply chain security.

The bug is found by running the iCR tool by OpenRefactory, Inc. and then manually triaging the results.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants
@Sawraz-OpenRef and others