From patchwork Mon Jun 15 21:32:43 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Harald Anlauf <anlauf@gmx.de>
X-Patchwork-Id: 1309839
Return-Path: <gcc-patches-bounces@gcc.gnu.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=gcc.gnu.org
 (client-ip=2620:52:3:1:0:246e:9693:128c; helo=sourceware.org;
 envelope-from=gcc-patches-bounces@gcc.gnu.org; receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
 dmarc=none (p=none dis=none) header.from=gmx.de
Authentication-Results: ozlabs.org;
	dkim=pass (1024-bit key;
 secure) header.d=gmx.net header.i=@gmx.net header.a=rsa-sha256
 header.s=badeba3b8450 header.b=Emb9muef;
	dkim-atps=neutral
Received: from sourceware.org (server2.sourceware.org
 [IPv6:2620:52:3:1:0:246e:9693:128c])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest
 SHA256)
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 49m4LX0MhFz9s1x
	for <incoming@patchwork.ozlabs.org>; Tue, 16 Jun 2020 07:32:52 +1000 (AEST)
Received: from server2.sourceware.org (localhost [IPv6:::1])
	by sourceware.org (Postfix) with ESMTP id CC6AB383F843;
	Mon, 15 Jun 2020 21:32:47 +0000 (GMT)
X-Original-To: gcc-patches@gcc.gnu.org
Delivered-To: gcc-patches@gcc.gnu.org
Received: from mout.gmx.net (mout.gmx.net [212.227.15.15])
 by sourceware.org (Postfix) with ESMTPS id 27F0A386F447;
 Mon, 15 Jun 2020 21:32:45 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 27F0A386F447
Authentication-Results: sourceware.org;
 dmarc=none (p=none dis=none) header.from=gmx.de
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=anlauf@gmx.de
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net;
 s=badeba3b8450; t=1592256763;
 bh=SYxTOuTtBycdpOSPk26yxPrRF5HuhI63QGNDPooe3pE=;
 h=X-UI-Sender-Class:From:To:Subject:Date;
 b=Emb9muef7nfTHglkHlW9wtkg6kIwyvq4GiiLPT9IdFpfBqw3UOMuGkIJKMCMD43Yc
 F9WYH6DxDQ1MEBw6XSpyn7fcVx8XLetMJkdEd1a6iqqucLNTd/DB4WVzRrfmIXkafW
 E5cYSyH6enSc3ocwvfa4DccjPZCzHpwaLVwwVv2Y=
X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c
Received: from [93.207.84.53] ([93.207.84.53]) by web-mail.gmx.net
 (3c-app-gmx-bs33.server.lan [172.19.170.85]) (via HTTP); Mon, 15 Jun 2020
 23:32:43 +0200
MIME-Version: 1.0
Message-ID: 
 <trinity-c6f392c0-5225-4b2f-afee-ce7bc5ea40c3-1592256763547@3c-app-gmx-bs33>
From: Harald Anlauf <anlauf@gmx.de>
To: fortran <fortran@gcc.gnu.org>, gcc-patches <gcc-patches@gcc.gnu.org>
Subject: PR fortran/95687 - ICE in get_unique_hashed_string, at
 fortran/class.c:508
Date: Mon, 15 Jun 2020 23:32:43 +0200
Importance: normal
Sensitivity: Normal
X-Priority: 3
X-Provags-ID: 
 V03:K1:I4WW4nZplj2Is6wYDoUPWXAjlAVrB13iE9nP1XMb6qg48uIi7VgZDfC7eUvUIMs3Yb77w
 iDAY+duudBc/SqNeVXGqh5R+a2e69kvgFbby0Li/S0ectL4PUcACuDgvkBRIrUVK7n3BJYf5rKvi
 hk6b0TaCD/I8yyXyyTVWz6jvSSBrHTmgKOf0sz2b8WmuNzNxko+ThWWQ7WtAZZQW+ts+RbuFhrKW
 4Hrv8fIBJdJKmUSONyvGbM1wiotZXCA7Rb/zff0ALcjneeCwbQYlEToQgagr4cM+yGNnDdENFfyO
 /Q=
X-UI-Out-Filterresults: notjunk:1;V03:K0:9N7/0j4LdG8=:OWWsqtebFiSOJuqth3VXS4
 HEe2Nz5jKCPbHygJ3ZEqbx0JxQhICfNodUSIdTQqUcN94OG4SF93fcQmLVYOmJacyfLhGEuIK
 7TqH+au4tY3zPrRjNQdxQazat+7oGuFez7ydflyVr63tWVpVAbS/Fero695yz5um7+q4+4iDN
 sn2HZpvkU1MP9DlhFzYx9qgHOI1vdnt5GANjanAAvua5fFlE0iNVTL1+0KT+Y/8TRemkmMmSn
 UjoSKVP6W0cgJ2r3IYD+ahf1AVoJWXili231l9FT4nU9uteBN/FAsU0/kmkA+KPCCl5In/T+a
 Ee2p6wTH/lJZSjfZKL4L4gpiHpoUjKpPNcrhkRysP8mgRUSpjx2D2kQm1eMTemgnGrKQTQZZz
 9jlVr2vHNYYbpFKssk5gTGIhaaZX7+RCZdZnUwjhZZsxw+7uqFwMI3iP2mVj5aftz3znJTKEq
 WRbJcHYFJwWSO0Q9QXD6aOtIxi+rtFC6Luz45pOuR4g2xldmiZlnnKFTPv5shMVM+pZGGBwWg
 M+6wuufiaMBPmq/T4oeWOmtxEH22Dhj7y2PHqIgJLXW5bOifyXWDQawe5C1nv+4cB8Ll51lUE
 63bAZjFnd0KPkGVP448EL15zPxeY6WRAuJIkXyPF0jR3//HRqbt3RZWm/RnG/d3BQmcg0dheh
 TIs6zlEY4Sdq8qZbeq1kTnSyKUJXXJG6rTl+xlSJBTcjjZPi6OuoeZ3u0SBkq+4THvy4=
X-Spam-Status: No, score=-10.7 required=5.0 tests=BAYES_00, DKIM_SIGNED,
 DKIM_VALID, FREEMAIL_FROM, GIT_PATCH_0, KAM_LOTSOFHASH, KAM_NUMSUBJECT,
 RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H2, SPF_HELO_NONE, SPF_PASS,
 TXREP autolearn=ham autolearn_force=no version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
 server2.sourceware.org
X-BeenThere: gcc-patches@gcc.gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Gcc-patches mailing list <gcc-patches.gcc.gnu.org>
List-Unsubscribe: <http://gcc.gnu.org/mailman/options/gcc-patches>,
 <mailto:gcc-patches-request@gcc.gnu.org?subject=unsubscribe>
List-Archive: <https://gcc.gnu.org/pipermail/gcc-patches/>
List-Post: <mailto:gcc-patches@gcc.gnu.org>
List-Help: <mailto:gcc-patches-request@gcc.gnu.org?subject=help>
List-Subscribe: <http://gcc.gnu.org/mailman/listinfo/gcc-patches>,
 <mailto:gcc-patches-request@gcc.gnu.org?subject=subscribe>
Errors-To: gcc-patches-bounces@gcc.gnu.org
Sender: "Gcc-patches" <gcc-patches-bounces@gcc.gnu.org>

And yet ABRBG (another one by Gerhard) provoking a buffer overflow.

Sigh.  At least this time we caught it on master.

Regtested on x86_64-pc-linux-gnu.

OK for master, and backports where appropriate?

Thanks,
Harald


PR fortran/95687 - ICE in get_unique_hashed_string, at fortran/class.c:508

With submodules and PDTs, name mangling of interfaces may result in long
internal symbols overflowing a previously static internal buffer.  We now
set the buffer size dynamically.

gcc/fortran/
	PR fortran/95687
	* class.c (get_unique_type_string): Return a string with dynamic
	length.
	(get_unique_hashed_string, gfc_hash_value): Use dynamic result
	from get_unique_type_string instead of static buffer.

diff --git a/gcc/fortran/class.c b/gcc/fortran/class.c
index 227134eef3d..c2f7db0fe55 100644
--- a/gcc/fortran/class.c
+++ b/gcc/fortran/class.c
@@ -476,22 +476,38 @@ gfc_class_initializer (gfc_typespec *ts, gfc_expr *init_expr)
    and module name. This is used to construct unique names for the class
    containers and vtab symbols.  */

-static void
-get_unique_type_string (char *string, gfc_symbol *derived)
+static char *
+get_unique_type_string (gfc_symbol *derived)
 {
   const char *dt_name;
+  char *string;
+  size_t len;
   if (derived->attr.unlimited_polymorphic)
     dt_name = "STAR";
   else
     dt_name = gfc_dt_upper_string (derived->name);
+  len = strlen (dt_name) + 2;
   if (derived->attr.unlimited_polymorphic)
-    sprintf (string, "_%s", dt_name);
+    {
+      string = XALLOCAVEC (char, len);
+      sprintf (string, "_%s", dt_name);
+    }
   else if (derived->module)
-    sprintf (string, "%s_%s", derived->module, dt_name);
+    {
+      string = XALLOCAVEC (char, strlen (derived->module) + len);
+      sprintf (string, "%s_%s", derived->module, dt_name);
+    }
   else if (derived->ns->proc_name)
-    sprintf (string, "%s_%s", derived->ns->proc_name->name, dt_name);
+    {
+      string = XALLOCAVEC (char, strlen (derived->ns->proc_name->name) + len);
+      sprintf (string, "%s_%s", derived->ns->proc_name->name, dt_name);
+    }
   else
-    sprintf (string, "_%s", dt_name);
+    {
+      string = XALLOCAVEC (char, len);
+      sprintf (string, "_%s", dt_name);
+    }
+  return string;
 }


@@ -502,10 +518,8 @@ static void
 get_unique_hashed_string (char *string, gfc_symbol *derived)
 {
   /* Provide sufficient space to hold "symbol.symbol_symbol".  */
-  char tmp[3*GFC_MAX_SYMBOL_LEN+3];
-  get_unique_type_string (&tmp[0], derived);
-  size_t len = strnlen (tmp, sizeof (tmp));
-  gcc_assert (len < sizeof (tmp));
+  char *tmp;
+  tmp = get_unique_type_string (derived);
   /* If string is too long, use hash value in hex representation (allow for
      extra decoration, cf. gfc_build_class_symbol & gfc_find_derived_vtab).
      We need space to for 15 characters "__class_" + symbol name + "_%d_%da",
@@ -527,12 +541,11 @@ gfc_hash_value (gfc_symbol *sym)
 {
   unsigned int hash = 0;
   /* Provide sufficient space to hold "symbol.symbol_symbol".  */
-  char c[3*GFC_MAX_SYMBOL_LEN+3];
+  char *c;
   int i, len;

-  get_unique_type_string (&c[0], sym);
-  len = strnlen (c, sizeof (c));
-  gcc_assert ((size_t) len < sizeof (c));
+  c = get_unique_type_string (sym);
+  len = strlen (c);

   for (i = 0; i < len; i++)
     hash = (hash << 6) + (hash << 16) - hash + c[i];
diff --git a/gcc/testsuite/gfortran.dg/pr95687.f90 b/gcc/testsuite/gfortran.dg/pr95687.f90
new file mode 100644
index 00000000000..a674533179a
--- /dev/null
+++ b/gcc/testsuite/gfortran.dg/pr95687.f90
@@ -0,0 +1,19 @@
+! { dg-do compile }
+! { dg-options "-fsecond-underscore" }
+! PR fortran/95687 - ICE in get_unique_hashed_string, at fortran/class.c:508
+
+module m2345678901234567890123456789012345678901234567890123456789_123
+  interface
+     module subroutine s2345678901234567890123456789012345678901234567890123456789_123
+     end
+  end interface
+end
+submodule(m2345678901234567890123456789012345678901234567890123456789_123) &
+          n2345678901234567890123456789012345678901234567890123456789_123
+  type t2345678901234567890123456789012345678901234567890123456789_123 &
+      (a2345678901234567890123456789012345678901234567890123456789_123)
+     integer, kind :: a2345678901234567890123456789012345678901234567890123456789_123 = 4
+  end type
+  class(t2345678901234567890123456789012345678901234567890123456789_123(3)), pointer :: &
+        x2345678901234567890123456789012345678901234567890123456789_123
+end