https://gcc.gnu.org/bugzilla/show_bug.cgi?id=62188
Bug ID: 62188 Summary: Array bounds overrun in bessel_yn_r4/8/16 and other functions Product: gcc Version: 5.0 Status: UNCONFIRMED Severity: normal Priority: P3 Component: libfortran Assignee: unassigned at gcc dot gnu.org Reporter: vogt at linux dot vnet.ibm.com There's an array bounds overrun in gfortran/generated/bessel_r4.c:bessel_yn_r4(). The function is passed the arguments n1 and n2 (n1 <= n2) and allocates memory for (n2 - n1 + 1) result values: size_t size = n2 < n1 ? 0 : n2-n1+1; ... ret->base_addr = xmallocarray (size, sizeof (GFC_REAL_4)); But later on it writes from index 0 to n1 + n2: for (...; i <= n1+n2; ...) ... ^^^^^ ret->base_addr[i*stride] = ...; The loop should be for (i = 2; i < n2-n1; i++) instead. The same bug exists in bessel_r8.c and bessel_r16.c and has been present since at least gcc-4.8. The existing test cases (bessel_<n>.f90) all use 0 or low values > 0, so they have not caught this bug yet.