From patchwork Sun Jul 13 21:39:32 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jerry DeLisle X-Patchwork-Id: 369445 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from sourceware.org (server1.sourceware.org [209.132.180.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id AA7E314008C for ; Mon, 14 Jul 2014 07:39:47 +1000 (EST) DomainKey-Signature: a=rsa-sha1; c=nofws; d=gcc.gnu.org; h=list-id :list-unsubscribe:list-archive:list-post:list-help:sender :message-id:date:from:mime-version:to:subject:content-type; q= dns; s=default; b=u4IHod+vCli50LTvCMvoCDJccUDiQgMmqUlZVVedonMw6J ejhcSjJlwpaODz/9TZgb8G44vXr0DdhtiwOC6vJPNuJgJDFsvwK5ntLR8Fzr9IsK IyArjCalNwCVc7pumIL9JWsQlIs0bthFsrf9Wqfuj1UdND5X0gaiPRJmeFTWM= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=gcc.gnu.org; h=list-id :list-unsubscribe:list-archive:list-post:list-help:sender :message-id:date:from:mime-version:to:subject:content-type; s= default; bh=oCEDL/9G1dT3zu2AcTo2cUBFPlQ=; b=V1y7qZevjO+Dyr5CqC2j x26DGEmcGuE5dLLGtQzASItO3rER1IfDgpBuogbtWRJYHgVsSmgJu3jtTHofurJ9 hN7rANEzXOVi1F1cW65F//+lR3DsP83YXPG7pxkZfVgYM9sWvOvoCSrjPhc1gFra ru3SHsoqOGNQdkNkgicJq28= Received: (qmail 13078 invoked by alias); 13 Jul 2014 21:39:38 -0000 Mailing-List: contact gcc-patches-help@gcc.gnu.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Archive: List-Post: List-Help: Sender: gcc-patches-owner@gcc.gnu.org Delivered-To: mailing list gcc-patches@gcc.gnu.org Received: (qmail 13039 invoked by uid 89); 13 Jul 2014 21:39:37 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-2.5 required=5.0 tests=AWL, BAYES_00, RCVD_IN_DNSWL_NONE, RP_MATCHES_RCVD, SPF_PASS autolearn=ham version=3.3.2 X-Spam-User: qpsmtpd, 2 recipients X-HELO: mta11.charter.net Received: from mta11.charter.net (HELO mta11.charter.net) (216.33.127.80) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Sun, 13 Jul 2014 21:39:35 +0000 Received: from imp09 ([10.20.200.9]) by mta11.charter.net (InterMail vM.8.01.05.09 201-2260-151-124-20120717) with ESMTP id <20140713213933.YPM6169.mta11.charter.net@imp09>; Sun, 13 Jul 2014 17:39:33 -0400 Received: from mtaout004.msg.strl.va.charter.net ([68.114.190.29]) by imp09 with smtp.charter.net id RxfZ1o0050eWGlw05xfZ8q; Sun, 13 Jul 2014 17:39:33 -0400 Received: from impout001 ([68.114.189.16]) by mtaout004.msg.strl.va.charter.net (InterMail vM.9.00.010.00 201-2473-137) with ESMTP id <20140713213933.VCKE22769.mtaout004.msg.strl.va.charter.net@impout001>; Sun, 13 Jul 2014 16:39:33 -0500 Received: from pavi.localdomain ([72.194.69.199]) by impout001 with charter.net id RxfY1o00A4Hxx8Q01xfYUR; Sun, 13 Jul 2014 16:39:33 -0500 X-Authority-Analysis: v=2.1 cv=J6Ak7WXS c=1 sm=1 tr=0 a=B1S/AlkX9gmsrZinFLYKFA==:117 a=B1S/AlkX9gmsrZinFLYKFA==:17 a=hOpmn2quAAAA:8 a=MvqziL5F8ecA:10 a=ayymnLrgKd4A:10 a=yUnIBFQkZM0A:10 a=r77TgQKjGQsHNAKrUKIA:9 a=9iDbn-4jx3cA:10 a=cKsnjEOsciEA:10 a=mDV3o1hIAAAA:8 a=YSNiNv8OlmfPm3-avhoA:9 a=wPNLvfGTeEIA:10 a=lnWgYwzCvSLzIpwRTukA:9 a=1hPQrHR5fBTI5ZrJlugA:9 a=m908H7k5AtQA:10 a=RDzzYPG9Y-QA:10 a=CyPjtiIamogA:10 X-Auth-id: anZkZWxpc2xlQGNoYXJ0ZXIubmV0 Message-ID: <53C2FC94.4070008@charter.net> Date: Sun, 13 Jul 2014 14:39:32 -0700 From: Jerry DeLisle User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.5.0 MIME-Version: 1.0 To: gfortran , gcc patches Subject: [patch, libgfortran] Bug 61632 - memory corruption when writing formatted data Hi all, This bug was caused by an access to an invalid pointer offset to the format string. This was only a problem on the second error using the same format string. I suspect it has to do with caching the format strings. Regardless, the patch fixes this by using the fortran style string lengths to calculate the position in the string where the error occurs. Test case attached. Regression tested on x86-64. OK for trunk? 2014-07-12 Jerry DeLisle PR libgfortran/61632 * io/format.c (format_error): Avoid invalid string pointer by using the fortran string length values to generate error string. Index: format.c =================================================================== --- format.c (revision 212420) +++ format.c (working copy) @@ -1117,7 +1117,7 @@ parse_format_list (st_parameter_dt *dtp, bool *see void format_error (st_parameter_dt *dtp, const fnode *f, const char *message) { - int width, i, j, offset; + int width, i, offset; #define BUFLEN 300 char *p, buffer[BUFLEN]; format_data *fmt = dtp->u.p.fmt; @@ -1130,13 +1130,10 @@ format_error (st_parameter_dt *dtp, const fnode *f else snprintf (buffer, BUFLEN, "%s\n", message); - j = fmt->format_string - dtp->format; + offset = dtp->format_len - fmt->format_string_len; - offset = (j > 60) ? j - 40 : 0; + width = dtp->format_len; - j -= offset; - width = dtp->format_len - offset; - if (width > 80) width = 80; @@ -1144,14 +1141,14 @@ format_error (st_parameter_dt *dtp, const fnode *f p = strchr (buffer, '\0'); - memcpy (p, dtp->format + offset, width); + memcpy (p, dtp->format, width); p += width; *p++ = '\n'; /* Show where the problem is */ - for (i = 1; i < j; i++) + for (i = 1; i < offset; i++) *p++ = ' '; *p++ = '^';