On 04/27/2014 04:57 AM, Andreas Schwab wrote:
> Jerry DeLisle <jvdeli...@charter.net> writes:
> 
>> +static void
>> +push_char4 (st_parameter_dt *dtp, gfc_char4_t c)
>> +{
>> +  gfc_char4_t *new, *p = (gfc_char4_t *) dtp->u.p.saved_string;
>> +
>> +  if (p == NULL)
>> +    {
>> +      dtp->u.p.saved_string = xcalloc (SCRATCH_SIZE, sizeof (gfc_char4_t));
>> +      dtp->u.p.saved_length = SCRATCH_SIZE;
>> +      dtp->u.p.saved_used = 0;
>> +      p = (gfc_char4_t *) dtp->u.p.saved_string;
>> +    }
>> +
>> +  if (dtp->u.p.saved_used >= dtp->u.p.saved_length)
>> +    {
>> +      dtp->u.p.saved_length = 2 * dtp->u.p.saved_length;
>> +      new = realloc (p, dtp->u.p.saved_length);
> 
> That's a buffer overflow.
> 
Do you mean it should be?

         new = realloc (p, dtp->u.p.saved_length * sizeof (gfc_char4_t));

jerry

Reply via email to