Hi all,
This problem was found with -fsanitize=address.
Turns out we are not correctly tracking the bytes left in the internal unit
string and we were reading memory past the end. I am sure the problem exists in
gcc 7 and I will examine gcc 6 as well and fix this in all cases I see. The
function sread is basically a wrapper on memcpy
The patch is fairly straight forward.
Regression tested on x86_64-pc-linux-gnu. OK for trunk and back ports as I find?
Regards,
Jerry
2017-12-16 Jerry DeLisle <[email protected]>
PR libgfortran/81937
* io/list_read.c (next_char_internal): Don't attempt to read
from the internal unit stream if no bytes are left. Decrement
bytes_left in the right place.
diff --git a/libgfortran/io/list_read.c b/libgfortran/io/list_read.c
index 379050cecad..037f2daa647 100644
--- a/libgfortran/io/list_read.c
+++ b/libgfortran/io/list_read.c
@@ -266,15 +266,19 @@ next_char_internal (st_parameter_dt *dtp)
}
/* Get the next character and handle end-of-record conditions. */
-
- if (is_char4_unit(dtp)) /* Check for kind=4 internal unit. */
- length = sread (dtp->u.p.current_unit->s, &c, 1);
+ if (likely (dtp->u.p.current_unit->bytes_left > 0))
+ {
+ if (unlikely (is_char4_unit(dtp))) /* Check for kind=4 internal unit. */
+ length = sread (dtp->u.p.current_unit->s, &c, 1);
+ else
+ {
+ char cc;
+ length = sread (dtp->u.p.current_unit->s, &cc, 1);
+ c = cc;
+ }
+ }
else
- {
- char cc;
- length = sread (dtp->u.p.current_unit->s, &cc, 1);
- c = cc;
- }
+ length = 0;
if (unlikely (length < 0))
{
@@ -290,7 +294,6 @@ next_char_internal (st_parameter_dt *dtp)
generate_error (&dtp->common, LIBERROR_INTERNAL_UNIT, NULL);
return '\0';
}
- dtp->u.p.current_unit->bytes_left--;
}
else
{
@@ -302,6 +305,7 @@ next_char_internal (st_parameter_dt *dtp)
dtp->u.p.at_eof = 1;
}
}
+ dtp->u.p.current_unit->bytes_left--;
done:
dtp->u.p.at_eol = (c == '\n' || c == EOF);
