[Bug libfortran/34291] Uninitialized variable is used in io/list_read.c which causes segfault

Thu, 29 Nov 2007 18:39:44 -0800 


------- Comment #5 from ek dot kato at gmail dot com  2007-11-30 02:39 -------
Maybe I could find a reliable testcase for the problem.  Following program will
crash while accessing dtp->u.p.line_buffer[dtp->u.p.item_count].


  IMPLICIT NONE
  CHARACTER(len=10), DIMENSION(2)  :: var
  NAMELIST /inx/ var

  OPEN(unit=11, status='scratch')
  write (11, *) "&INX"
  write (11, *) "var(1)='hello'"
  write (11, *) "&END"
  rewind (11)

  READ(11,NML=inx)
  CLOSE(11)

END


Here is the backtrace.

(gdb) run
Starting program:
/Users/kato/src/gcc-4.2.999-071129/gcc/testsuite/gfortran.dg/a.out
Reading symbols for shared libraries .++ done

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000005
0x0026f1d5 in next_char (dtp=0xbfffe6ac) at
../../../gcc-4.2.999-071129/libgfortran/io/list_read.c:152
152           c = dtp->u.p.line_buffer[dtp->u.p.item_count];
(gdb) where
#0  0x0026f1d5 in next_char (dtp=0xbfffe6ac) at
../../../gcc-4.2.999-071129/libgfortran/io/list_read.c:152
#1  0x0026f4e0 in eat_spaces (dtp=0xbfffe6ac) at
../../../gcc-4.2.999-071129/libgfortran/io/list_read.c:269
#2  0x0026f519 in eat_separator (dtp=0xbfffe6ac) at
../../../gcc-4.2.999-071129/libgfortran/io/list_read.c:294
#3  0x00272e48 in nml_get_obj_data (dtp=0xbfffe6ac, pprev_nl=0xbfffe5bc,
nml_err_msg=0xbfffe510 "\002\020") at
../../../gcc-4.2.999-071129/libgfortran/io/list_read.c:2388
#4  0x002739b3 in *__gfortrani_namelist_read (dtp=0xbfffe6ac) at
../../../gcc-4.2.999-071129/libgfortran/io/list_read.c:2716
#5  0x00279321 in finalize_transfer (dtp=0xbfffe6ac) at
../../../gcc-4.2.999-071129/libgfortran/io/transfer.c:2616
#6  0x00279511 in *__gfortran_st_read_done (dtp=0xbfffe6ac) at
../../../gcc-4.2.999-071129/libgfortran/io/transfer.c:2777
#7  0x00002c76 in MAIN__ ()
#8  0x00002ce8 in main (argc=1, argv=0xbfffe87c) at
../../../gcc-4.2.999-071129/libgfortran/fmain.c:21


Here is a workaround.

Index: list_read.c
===================================================================
--- list_read.c (revision 130508)
+++ list_read.c (working copy)
@@ -365,6 +365,9 @@
       break;

     case '/':
+    /* should check 'end' after the character? */
+    case '$':
+    case '&':
       dtp->u.p.input_complete = 1;
       if (!dtp->u.p.namelist_mode)
        return;


-- 


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=34291

Reply via email to