PR fortran/95707 - ICE in finish_equivalences, at fortran/trans-common.c:1319

Message ID trinity-3abd8d9b-88e9-486e-a18e-057826ff0dc2-1592422029182@3c-app-gmx-bs33
State New
Headers show
Series
  • PR fortran/95707 - ICE in finish_equivalences, at fortran/trans-common.c:1319
Related show

Commit Message

Harald Anlauf June 17, 2020, 7:27 p.m.
Another corner case of buffer overflows during name mangling found by
Gerhard.  We now check that the new buffer sizes suffice.

The patch is on top of the patches for PRs 95687, 95688, 95689.

Regtested on x86_64-pc-linux-gnu.

OK for master / backports?

Thanks,
Harald


PR fortran/95707 - ICE in finish_equivalences, at fortran/trans-common.c:1319

With submodules and equivalence declarations, name mangling may result in
long internal symbols overflowing internal buffers.  We now check that
we do not exceed the enlarged buffer sizes.

gcc/fortran/
	PR fortran/95707
	* gfortran.h (gfc_common_head): Enlarge buffer.
	* trans-common.c (gfc_sym_mangled_common_id): Enlarge temporary
	buffers, and add check on length on mangled name to prevent
	overflow.

Comments

Jakub Jelinek via Gcc-patches June 20, 2020, 9:06 a.m. | #1
Am 17.06.20 um 21:27 schrieb Harald Anlauf:
> OK for master / backports?


OK.

Thanks for the patch!

Regards

	Thomas
Jakub Jelinek via Gcc-patches June 23, 2020, 9:55 p.m. | #2
OK, and once again, thanks.
Jerry

On 6/17/20 12:27 PM, Harald Anlauf wrote:
> Another corner case of buffer overflows during name mangling found by

> Gerhard.  We now check that the new buffer sizes suffice.

>

> The patch is on top of the patches for PRs 95687, 95688, 95689.

>

> Regtested on x86_64-pc-linux-gnu.

>

> OK for master / backports?

>

> Thanks,

> Harald

>

>

> PR fortran/95707 - ICE in finish_equivalences, at fortran/trans-common.c:1319

>

> With submodules and equivalence declarations, name mangling may result in

> long internal symbols overflowing internal buffers.  We now check that

> we do not exceed the enlarged buffer sizes.

>

> gcc/fortran/

> 	PR fortran/95707

> 	* gfortran.h (gfc_common_head): Enlarge buffer.

> 	* trans-common.c (gfc_sym_mangled_common_id): Enlarge temporary

> 	buffers, and add check on length on mangled name to prevent

> 	overflow.

Patch

diff --git a/gcc/fortran/gfortran.h b/gcc/fortran/gfortran.h
index c12a8bef277..836e0b3063d 100644
--- a/gcc/fortran/gfortran.h
+++ b/gcc/fortran/gfortran.h
@@ -1677,8 +1677,8 @@  typedef struct gfc_common_head
   char use_assoc, saved, threadprivate;
   unsigned char omp_declare_target : 1;
   unsigned char omp_declare_target_link : 1;
-  /* Provide sufficient space to hold "symbol.eq.1234567890".  */
-  char name[GFC_MAX_SYMBOL_LEN + 1 + 14];
+  /* Provide sufficient space to hold "symbol.symbol.eq.1234567890".  */
+  char name[2*GFC_MAX_SYMBOL_LEN + 1 + 14 + 1];
   struct gfc_symbol *head;
   const char* binding_label;
   int is_bind_c;
diff --git a/gcc/fortran/trans-common.c b/gcc/fortran/trans-common.c
index 1acc336eacf..c6383fc2352 100644
--- a/gcc/fortran/trans-common.c
+++ b/gcc/fortran/trans-common.c
@@ -242,11 +242,13 @@  static tree
 gfc_sym_mangled_common_id (gfc_common_head *com)
 {
   int has_underscore;
-  /* Provide sufficient space to hold "symbol.eq.1234567890__".  */
-  char mangled_name[GFC_MAX_MANGLED_SYMBOL_LEN + 1 + 16];
-  char name[GFC_MAX_SYMBOL_LEN + 1 + 16];
+  /* Provide sufficient space to hold "symbol.symbol.eq.1234567890__".  */
+  char mangled_name[2*GFC_MAX_MANGLED_SYMBOL_LEN + 1 + 16 + 1];
+  char name[sizeof (mangled_name) - 2];

   /* Get the name out of the common block pointer.  */
+  size_t len = strlen (com->name);
+  gcc_assert (len < sizeof (name));
   strcpy (name, com->name);

   /* If we're suppose to do a bind(c).  */
diff --git a/gcc/testsuite/gfortran.dg/pr95707.f90 b/gcc/testsuite/gfortran.dg/pr95707.f90
new file mode 100644
index 00000000000..3279a6320cf
--- /dev/null
+++ b/gcc/testsuite/gfortran.dg/pr95707.f90
@@ -0,0 +1,16 @@ 
+! { dg-do compile }
+! { dg-options "-fsecond-underscore" }
+! PR fortran/95707 - ICE in finish_equivalences, at fortran/trans-common.c:1319
+
+module m2345678901234567890123456789012345678901234567890123456789_123
+  interface
+     module subroutine s2345678901234567890123456789012345678901234567890123456789_123
+     end
+  end interface
+end
+submodule(m2345678901234567890123456789012345678901234567890123456789_123) &
+          n2345678901234567890123456789012345678901234567890123456789_123
+  real :: a(4), u(3,2)
+  real :: b(4), v(4,2)
+  equivalence (a(1),u(1,1)), (b(1),v(1,1))
+end