yy_get_next_buffer doesn't perform bounds checks in the following lines:
yy_current_buffer->yy_ch_buf[yy_n_chars] = YY_END_OF_BUFFER_CHAR;
yy_current_buffer->yy_ch_buf[yy_n_chars + 1] = YY_END_OF_BUFFER_CHAR;
This causes a segfault in bogofilter, an open source bayesian spam filter of which I'm the lead developer.
The problem occurs with flex 2.5.4, 2.5.31, and 2.5.33.
The attached tarball has a README.txt file which tells how to build the program and run it. It also has a modified flex output file showing yy_ch_buf's allocation and the buffer overflow as well as valgrind output showing the problem. Last but not least, there's source code for bogofilter and input to cause the problem.