From 021aa628c6ecec5c0f67bd8b8fa540156f03a11f Mon Sep 17 00:00:00 2001
From: Tobias Burnus <burnus@net-b.de>
Date: Mon, 3 Dec 2012 09:56:11 +0100
Subject: [PATCH] re PR fortran/55475 (heap-buffer-overflow in fortran/error.c)

2012-12-03  Tobias Burnus  <burnus@net-b.de>

        PR fortran/55475
        * scanner.c (gfc_next_char_literal): Fix setting locus
        to free_line_length for the error message.
        * error.c (show_locus): Fix potential out-of-bounds
        read.

From-SVN: r194076
---
 gcc/fortran/ChangeLog | 10 +++++++++-
 gcc/fortran/error.c   |  7 ++++++-
 gcc/fortran/scanner.c |  6 ++++--
 3 files changed, 19 insertions(+), 4 deletions(-)

diff --git a/gcc/fortran/ChangeLog b/gcc/fortran/ChangeLog
index 84b085a4d7e..30f82fd5ef8 100644
--- a/gcc/fortran/ChangeLog
+++ b/gcc/fortran/ChangeLog
@@ -1,4 +1,12 @@
-2012-11-03  Tobias Burnus  <burnus@net-b.de>
+2012-12-03  Tobias Burnus  <burnus@net-b.de>
+
+	PR fortran/55475
+	* scanner.c (gfc_next_char_literal): Fix setting locus
+	to free_line_length for the error message.
+	* error.c (show_locus): Fix potential out-of-bounds
+	read.
+
+2012-12-03  Tobias Burnus  <burnus@net-b.de>
 
 	PR fortran/37336
 	* class.c (finalizer_insert_packed_call): New static function.
diff --git a/gcc/fortran/error.c b/gcc/fortran/error.c
index 4b061560c0e..611540c261a 100644
--- a/gcc/fortran/error.c
+++ b/gcc/fortran/error.c
@@ -387,7 +387,7 @@ show_locus (locus *loc, int c1, int c2)
   cmax -= offset;
 
   p = &(lb->line[offset]);
-  for (i = 0; i <= cmax; i++)
+  for (i = 0; i < cmax; i++)
     {
       int spaces, j;
       spaces = gfc_widechar_display_length (*p++);
@@ -401,6 +401,11 @@ show_locus (locus *loc, int c1, int c2)
 	error_char (' ');
     }
 
+  if (i == c1)
+    error_char ('1');
+  else if (i == c2)
+    error_char ('2');
+
   error_char ('\n');
 
 }
diff --git a/gcc/fortran/scanner.c b/gcc/fortran/scanner.c
index e0556a9760a..765c0f97705 100644
--- a/gcc/fortran/scanner.c
+++ b/gcc/fortran/scanner.c
@@ -1068,10 +1068,12 @@ restart:
 	  && gfc_current_locus.lb->truncated)
 	{
 	  int maxlen = gfc_option.free_line_length;
+	  gfc_char_t *current_nextc = gfc_current_locus.nextc;
+
 	  gfc_current_locus.lb->truncated = 0;
-	  gfc_current_locus.nextc += maxlen;
+	  gfc_current_locus.nextc =  gfc_current_locus.lb->line + maxlen;
 	  gfc_warning_now ("Line truncated at %L", &gfc_current_locus);
-	  gfc_current_locus.nextc -= maxlen;
+	  gfc_current_locus.nextc = current_nextc;
 	}
 
       if (c != '&')
-- 
2.30.2