shylie/llvm-project
1
0
Fork 0
Code Issues Pull Requests Actions 6 Packages Projects Releases Wiki Activity

[flang] [flang-rt] Subscript overrun could occur in namelists during a READ command. (#176959)

Browse Source 
NOTE: This is a new pull request, as the prior didn't have labels
properly applied.

If a bad subscript is provided in a namelisted record, the
HandleSubscripts() routine can read off into infinity. This patch
ensures that a read will not go beyond the rank of the expected
variable.

The failure will then be captured in the return status (IOSTAT) of the
READ.

The small test demonstrates the failure before and after the fix.

---------

Co-authored-by: Kevin Wyatt <kwyatt@hpe.com>
This commit is contained in:
kwyatt-ext 2026-03-18 16:26:15 -05:00 committed by GitHub
parent d70ebc84ac
commit 2a89e249a2
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
flang-rt/lib/runtime/namelist.cpp
View File

@ -170,7 +170,9 @@ static RT_API_ATTRS bool HandleSubscripts(IoStatementState &io,
std::size_t byteCount{0};
common::optional<char32_t> ch{io.GetNextNonBlank(byteCount)};
char32_t comma{GetComma(io)};
for (; ch && *ch != ')'; ++j) {
// Read subscripts, but don't exceed rank to prevent buffer overrun.
for (int rank{source.rank()}; ch && *ch != ')' && j <= rank; ++j) {
SubscriptValue dimLower{0}, dimUpper{0}, dimStride{0};
if (j < maxRank && j < source.rank()) {
const Dimension &dim{source.GetDimension(j)};