https://gcc.gnu.org/bugzilla/show_bug.cgi?id=62188
Bug ID: 62188
Summary: Array bounds overrun in bessel_yn_r4/8/16 and other
functions
Product: gcc
Version: 5.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: libfortran
Assignee: unassigned at gcc dot gnu.org
Reporter: vogt at linux dot vnet.ibm.com
There's an array bounds overrun in
gfortran/generated/bessel_r4.c:bessel_yn_r4(). The function is passed the
arguments n1 and n2 (n1 <= n2) and allocates memory for (n2 - n1 + 1) result
values:
size_t size = n2 < n1 ? 0 : n2-n1+1;
...
ret->base_addr = xmallocarray (size, sizeof (GFC_REAL_4));
But later on it writes from index 0 to n1 + n2:
for (...; i <= n1+n2; ...)
... ^^^^^
ret->base_addr[i*stride] = ...;
The loop should be
for (i = 2; i < n2-n1; i++)
instead. The same bug exists in bessel_r8.c and bessel_r16.c and has been
present since at least gcc-4.8. The existing test cases (bessel_<n>.f90) all
use 0 or low values > 0, so they have not caught this bug yet.
