public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug fortran/55475] New: heap-buffer-overflow in fortran/error.c
@ 2012-11-26 20:49 hjl.tools at gmail dot com
  2012-11-26 21:59 ` [Bug fortran/55475] " burnus at gcc dot gnu.org
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: hjl.tools at gmail dot com @ 2012-11-26 20:49 UTC (permalink / raw)
  To: gcc-bugs


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=55475

             Bug #: 55475
           Summary: heap-buffer-overflow in fortran/error.c
    Classification: Unclassified
           Product: gcc
           Version: 4.8.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: fortran
        AssignedTo: unassigned@gcc.gnu.org
        ReportedBy: hjl.tools@gmail.com


[hjl@gnu-mic-1 gfortran]$
/export/build/gnu/gcc-x32-mx32-asan/build-x86_64-linux/gcc/testsuite/gfortran6/../../gfortran
-B/export/build/gnu/gcc-x32-mx32-asan/build-x86_64-linux/gcc/testsuite/gfortran6/../../
-B/export/build/gnu/gcc-x32-mx32-asan/build-x86_64-linux/x86_64-unknown-linux-gnu/./libgfortran/
/export/gnu/import/git/gcc/gcc/testsuite/gfortran.dg/line_length_4.f90 
-fno-diagnostics-show-caret   -O  -Wline-truncation -ffree-line-length-80 -S 
-mx32 -o line_length_4.s 
/export/gnu/import/git/gcc/gcc/testsuite/gfortran.dg/line_length_4.f90:8.85:

                     25  ), " Explanation ! "                         
=================================================================
==18910== ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf6820398
at pc 0x583c85 bp 0xffff9ed0 sp 0xffff9ecc
READ of size 4 at 0xf6820398 thread T0
    #0 0x583c84
(/export/build/gnu/gcc-x32-mx32-asan/build-x86_64-linux/gcc/f951+0x583c84)
0xf6820398 is located 0 bytes to the right of 344-byte region
[0xf6820240,0xf6820398)
allocated by thread T0 here:
    #0 0x24ae2dc
(/export/build/gnu/gcc-x32-mx32-asan/build-x86_64-linux/gcc/f951+0x24ae2dc)
    #1 0x24a2c63
(/export/build/gnu/gcc-x32-mx32-asan/build-x86_64-linux/gcc/f951+0x24a2c63)
Shadow byte and word:
  0x3ed04073: fb
  0x3ed04070: 00 00 00 fb
More shadow bytes:
  0x3ed04060: 00 00 00 00
  0x3ed04064: 00 00 00 00
  0x3ed04068: 00 00 00 00
  0x3ed0406c: 00 00 00 00
=>0x3ed04070: 00 00 00 fb
  0x3ed04074: fb fb fb fb
  0x3ed04078: fa fa fa fa
  0x3ed0407c: fa fa fa fa
  0x3ed04080: fa fa fa fa
Stats: 0M malloced (0M for red zones) by 3129 calls
Stats: 0M realloced by 312 calls
Stats: 0M freed by 961 calls
Stats: 0M really freed by 0 calls
Stats: 5M (1285 full pages) mmaped in 10 calls
  mmaps   by size class: 7:4095; 8:2047; 9:1023; 10:511; 11:255; 12:128; 13:64;
14:32; 15:16; 17:4; 
  mallocs by size class: 7:2646; 8:171; 9:77; 10:138; 11:81; 12:4; 13:7; 14:1;
15:2; 17:2; 
  frees   by size class: 7:688; 8:62; 9:68; 10:132; 11:9; 12:1; 13:1; 
  rfrees  by size class: 
Stats: malloc large: 4 small slow: 30
==18910== ABORTING[hjl@gnu-mic-1 gfortran]$ addr2line -e ../../f951 0x583c84
/export/gnu/import/git/gcc/gcc/fortran/error.c:393
[hjl@gnu-mic-1 gfortran]$


^ permalink raw reply	[flat|nested] 4+ messages in thread
* [Bug fortran/55475] heap-buffer-overflow in fortran/error.c
  2012-11-26 20:49 [Bug fortran/55475] New: heap-buffer-overflow in fortran/error.c hjl.tools at gmail dot com
@ 2012-11-26 21:59 ` burnus at gcc dot gnu.org
  2012-12-03  8:56 ` burnus at gcc dot gnu.org
  2012-12-03 10:00 ` burnus at gcc dot gnu.org
  2 siblings, 0 replies; 4+ messages in thread
From: burnus at gcc dot gnu.org @ 2012-11-26 21:59 UTC (permalink / raw)
  To: gcc-bugs


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=55475

Tobias Burnus <burnus at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |NEW
   Last reconfirmed|                            |2012-11-26
                 CC|                            |burnus at gcc dot gnu.org
     Ever Confirmed|0                           |1

--- Comment #1 from Tobias Burnus <burnus at gcc dot gnu.org> 2012-11-26 21:59:32 UTC ---
Draft patch:

--- a/gcc/fortran/scanner.c
+++ b/gcc/fortran/scanner.c
@@ -1070,6 +1070,8 @@ restart:
          int maxlen = gfc_option.free_line_length;
+         gfc_char_t *current_nextc = gfc_current_locus.nextc;
+
          gfc_current_locus.lb->truncated = 0;
-         gfc_current_locus.nextc += maxlen;
+         gfc_current_locus.nextc =  gfc_current_locus.lb->line + maxlen;
          gfc_warning_now ("Line truncated at %L", &gfc_current_locus);
-         gfc_current_locus.nextc -= maxlen;
+         gfc_current_locus.nextc = current_nextc;
        }


^ permalink raw reply	[flat|nested] 4+ messages in thread
* [Bug fortran/55475] heap-buffer-overflow in fortran/error.c
  2012-11-26 20:49 [Bug fortran/55475] New: heap-buffer-overflow in fortran/error.c hjl.tools at gmail dot com
  2012-11-26 21:59 ` [Bug fortran/55475] " burnus at gcc dot gnu.org
@ 2012-12-03  8:56 ` burnus at gcc dot gnu.org
  2012-12-03 10:00 ` burnus at gcc dot gnu.org
  2 siblings, 0 replies; 4+ messages in thread
From: burnus at gcc dot gnu.org @ 2012-12-03  8:56 UTC (permalink / raw)
  To: gcc-bugs


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=55475

--- Comment #2 from Tobias Burnus <burnus at gcc dot gnu.org> 2012-12-03 08:56:22 UTC ---
Author: burnus
Date: Mon Dec  3 08:56:11 2012
New Revision: 194076

URL: http://gcc.gnu.org/viewcvs?root=gcc&view=rev&rev=194076
Log:
2012-12-03  Tobias Burnus  <burnus@net-b.de>

        PR fortran/55475
        * scanner.c (gfc_next_char_literal): Fix setting locus
        to free_line_length for the error message.
        * error.c (show_locus): Fix potential out-of-bounds
        read.


Modified:
    trunk/gcc/fortran/ChangeLog
    trunk/gcc/fortran/error.c
    trunk/gcc/fortran/scanner.c


^ permalink raw reply	[flat|nested] 4+ messages in thread
* [Bug fortran/55475] heap-buffer-overflow in fortran/error.c
  2012-11-26 20:49 [Bug fortran/55475] New: heap-buffer-overflow in fortran/error.c hjl.tools at gmail dot com
  2012-11-26 21:59 ` [Bug fortran/55475] " burnus at gcc dot gnu.org
  2012-12-03  8:56 ` burnus at gcc dot gnu.org
@ 2012-12-03 10:00 ` burnus at gcc dot gnu.org
  2 siblings, 0 replies; 4+ messages in thread
From: burnus at gcc dot gnu.org @ 2012-12-03 10:00 UTC (permalink / raw)
  To: gcc-bugs


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=55475

Tobias Burnus <burnus at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED

--- Comment #3 from Tobias Burnus <burnus at gcc dot gnu.org> 2012-12-03 09:59:41 UTC ---
FIXED thanks for the report!


^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2012-12-03 10:00 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2012-11-26 20:49 [Bug fortran/55475] New: heap-buffer-overflow in fortran/error.c hjl.tools at gmail dot com
2012-11-26 21:59 ` [Bug fortran/55475] " burnus at gcc dot gnu.org
2012-12-03  8:56 ` burnus at gcc dot gnu.org
2012-12-03 10:00 ` burnus at gcc dot gnu.org

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).