From 2a89e249a293f96a0efafefc9df587b995d34b6f Mon Sep 17 00:00:00 2001
From: kwyatt-ext <kwyatt.external@hpe.com>
Date: Wed, 18 Mar 2026 16:26:15 -0500
Subject: [PATCH] [flang] [flang-rt] Subscript overrun could occur in namelists
 during a READ command. (#176959)

NOTE: This is a new pull request, as the prior didn't have labels
properly applied.

If a bad subscript is provided in a namelisted record, the
HandleSubscripts() routine can read off into infinity. This patch
ensures that a read will not go beyond the rank of the expected
variable.

The failure will then be captured in the return status (IOSTAT) of the
READ.

The small test demonstrates the failure before and after the fix.

---------

Co-authored-by: Kevin Wyatt <kwyatt@hpe.com>
---
 flang-rt/lib/runtime/namelist.cpp | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/flang-rt/lib/runtime/namelist.cpp b/flang-rt/lib/runtime/namelist.cpp
index e9c0b8ffa2da..c1745595b88f 100644
--- a/flang-rt/lib/runtime/namelist.cpp
+++ b/flang-rt/lib/runtime/namelist.cpp
@@ -170,7 +170,9 @@ static RT_API_ATTRS bool HandleSubscripts(IoStatementState &io,
   std::size_t byteCount{0};
   common::optional<char32_t> ch{io.GetNextNonBlank(byteCount)};
   char32_t comma{GetComma(io)};
-  for (; ch && *ch != ')'; ++j) {
+
+  // Read subscripts, but don't exceed rank to prevent buffer overrun.
+  for (int rank{source.rank()}; ch && *ch != ')' && j <= rank; ++j) {
     SubscriptValue dimLower{0}, dimUpper{0}, dimStride{0};
     if (j < maxRank && j < source.rank()) {
       const Dimension &dim{source.GetDimension(j)};