From: Jerry DeLisle <jvdelisle@gcc.gnu.org>
Date: Sat, 16 Dec 2017 22:41:13 +0000 (+0000)
Subject: backport: re PR libfortran/81937 (stack-buffer-overflow on memcpy in libgfortran... 
X-Git-Tag: releases/gcc-6.5.0~632
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=925b07ce5504da36ef0bb840ceed43c8a6a5a855;p=thirdparty%2Fgcc.git

backport: re PR libfortran/81937 (stack-buffer-overflow on memcpy in libgfortran/io/unix.c on character(kind=4))

2017-12-16  Jerry DeLisle  <jvdelisle@gcc.gnu.org>

	Backport from trunk
	PR libgfortran/81937
	* io/list_read.c (next_char_internal): Don't attempt to read
	from the internal unit stream if no bytes are left. Decrement
	bytes_left in the right place.

From-SVN: r255754
---

diff --git a/libgfortran/ChangeLog b/libgfortran/ChangeLog
index dd0eb9c720ee..2e73dd1002d9 100644
--- a/libgfortran/ChangeLog
+++ b/libgfortran/ChangeLog
@@ -1,3 +1,11 @@
+2017-12-16  Jerry DeLisle  <jvdelisle@gcc.gnu.org>
+
+	Backport from trunk
+	PR libgfortran/81937
+	* io/list_read.c (next_char_internal): Don't attempt to read
+	from the internal unit stream if no bytes are left. Decrement
+	bytes_left in the right place.
+
 2017-10-22  Thomas Koenig  <tkoenig@gcc.gnu.org>
 
 	Backport from trunk
diff --git a/libgfortran/io/list_read.c b/libgfortran/io/list_read.c
index 244430d9765b..986a0714cb9c 100644
--- a/libgfortran/io/list_read.c
+++ b/libgfortran/io/list_read.c
@@ -266,15 +266,19 @@ next_char_internal (st_parameter_dt *dtp)
     }
 
   /* Get the next character and handle end-of-record conditions.  */
-
-  if (dtp->common.unit) /* Check for kind=4 internal unit.  */
-   length = sread (dtp->u.p.current_unit->s, &c, 1);
+  if (likely (dtp->u.p.current_unit->bytes_left > 0))
+    {
+      if (dtp->common.unit) /* Check for kind=4 internal unit.  */
+	length = sread (dtp->u.p.current_unit->s, &c, 1);
+      else
+	{
+	  char cc;
+	  length = sread (dtp->u.p.current_unit->s, &cc, 1);
+	  c = cc;
+	}
+    }
   else
-   {
-     char cc;
-     length = sread (dtp->u.p.current_unit->s, &cc, 1);
-     c = cc;
-   }
+    length = 0;
 
   if (unlikely (length < 0))
     {
@@ -290,7 +294,6 @@ next_char_internal (st_parameter_dt *dtp)
 	  generate_error (&dtp->common, LIBERROR_INTERNAL_UNIT, NULL);
 	  return '\0';
 	}
-      dtp->u.p.current_unit->bytes_left--;
     }
   else
     {
@@ -302,6 +305,7 @@ next_char_internal (st_parameter_dt *dtp)
 	  dtp->u.p.at_eof = 1;
 	}
     }
+  dtp->u.p.current_unit->bytes_left--;
 
 done:
   dtp->u.p.at_eol = (c == '\n' || c == EOF);