This is the mail archive of the gcc-patches@gcc.gnu.org mailing list for the GCC project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[patch,libgfortran] Bug 61632 - memory corruption when writing formatted data

From: Jerry DeLisle <jvdelisle at charter dot net>
To: gfortran <fortran at gcc dot gnu dot org>, gcc patches <gcc-patches at gcc dot gnu dot org>
Date: Sun, 13 Jul 2014 14:39:32 -0700
Subject: [patch,libgfortran] Bug 61632 - memory corruption when writing formatted data
Authentication-results: sourceware.org; auth=none

Hi all,

This bug was caused by an access to an invalid pointer offset to the format
string. This was only a problem on the second error using the same format
string.  I suspect it has to do with caching the format strings.  Regardless,
the patch fixes this by using the fortran style string lengths to calculate the
position in the string where the error occurs.

Test case attached.

Regression tested on x86-64.

OK for trunk?

2014-07-12  Jerry DeLisle  <jvdelisle@gcc.gnu.org>

	PR libgfortran/61632
	* io/format.c (format_error): Avoid invalid string pointer by
	using the fortran string length values to generate error string.

Index: format.c
===================================================================
--- format.c	(revision 212420)
+++ format.c	(working copy)
@@ -1117,7 +1117,7 @@ parse_format_list (st_parameter_dt *dtp, bool *see
 void
 format_error (st_parameter_dt *dtp, const fnode *f, const char *message)
 {
-  int width, i, j, offset;
+  int width, i, offset;
 #define BUFLEN 300
   char *p, buffer[BUFLEN];
   format_data *fmt = dtp->u.p.fmt;
@@ -1130,13 +1130,10 @@ format_error (st_parameter_dt *dtp, const fnode *f
   else
     snprintf (buffer, BUFLEN, "%s\n", message);
 
-  j = fmt->format_string - dtp->format;
+  offset = dtp->format_len - fmt->format_string_len;
 
-  offset = (j > 60) ? j - 40 : 0;
+  width = dtp->format_len;
 
-  j -= offset;
-  width = dtp->format_len - offset;
-
   if (width > 80)
     width = 80;
 
@@ -1144,14 +1141,14 @@ format_error (st_parameter_dt *dtp, const fnode *f
 
   p = strchr (buffer, '\0');
 
-  memcpy (p, dtp->format + offset, width);
+  memcpy (p, dtp->format, width);
 
   p += width;
   *p++ = '\n';
 
   /* Show where the problem is */
 
-  for (i = 1; i < j; i++)
+  for (i = 1; i < offset; i++)
     *p++ = ' ';
 
   *p++ = '^';

! { dg-do run }
! Bug 61632 - memory corruption writing formatted data in error
      program p
      CHARACTER(3), save :: ZTYP(3)
      DATA ZTYP /'XXX','YYY','ZZZ'/
      write(10,600,IOSTAT=iosta) 0.0,ZTYP
      write(10,600,IOSTAT=iosta) 0.0,ZTYP
      close(10, status='delete')
 600  FORMAT(1PE13.5,4X,A3)
      end program p

Follow-Ups:
- Re: [patch,libgfortran] Bug 61632 - memory corruption when writing formatted data
  - From: Janne Blomqvist

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]