From 1eaa31d84014c78a16409ef3c08e164dee78b56f Mon Sep 17 00:00:00 2001
From: Jerry DeLisle <jvdelisle@gcc.gnu.org>
Date: Sat, 16 Dec 2017 19:50:42 +0000
Subject: [PATCH] re PR libfortran/81937 (stack-buffer-overflow on memcpy in
 libgfortran/io/unix.c on character(kind=4))

2017-12-16  Jerry DeLisle  <jvdelisle@gcc.gnu.org>

        PR libgfortran/81937
        * io/list_read.c (next_char_internal): Don't attempt to read
        from the internal unit stream if no bytes are left. Decrement
        bytes_left in the right place.

From-SVN: r255750
---
 libgfortran/ChangeLog      |  7 +++++++
 libgfortran/io/list_read.c | 22 +++++++++++++---------
 2 files changed, 20 insertions(+), 9 deletions(-)

diff --git a/libgfortran/ChangeLog b/libgfortran/ChangeLog
index ee2f7a6fd2b..aa2a0f7f673 100644
--- a/libgfortran/ChangeLog
+++ b/libgfortran/ChangeLog
@@ -1,3 +1,10 @@
+2017-12-16  Jerry DeLisle  <jvdelisle@gcc.gnu.org>
+
+	PR libgfortran/81937
+	* io/list_read.c (next_char_internal): Don't attempt to read
+	from the internal unit stream if no bytes are left. Decrement
+	bytes_left in the right place.
+
 2017-12-12  Jerry DeLisle  <jvdelisle@gcc.gnu.org>
 
 	PR libgfortran/78549
diff --git a/libgfortran/io/list_read.c b/libgfortran/io/list_read.c
index 379050cecad..037f2daa647 100644
--- a/libgfortran/io/list_read.c
+++ b/libgfortran/io/list_read.c
@@ -266,15 +266,19 @@ next_char_internal (st_parameter_dt *dtp)
     }
 
   /* Get the next character and handle end-of-record conditions.  */
-
-  if (is_char4_unit(dtp)) /* Check for kind=4 internal unit.  */
-   length = sread (dtp->u.p.current_unit->s, &c, 1);
+  if (likely (dtp->u.p.current_unit->bytes_left > 0))
+    {
+      if (unlikely (is_char4_unit(dtp))) /* Check for kind=4 internal unit.  */
+       length = sread (dtp->u.p.current_unit->s, &c, 1);
+      else
+       {
+	 char cc;
+	 length = sread (dtp->u.p.current_unit->s, &cc, 1);
+	 c = cc;
+       }
+    }
   else
-   {
-     char cc;
-     length = sread (dtp->u.p.current_unit->s, &cc, 1);
-     c = cc;
-   }
+    length = 0;
 
   if (unlikely (length < 0))
     {
@@ -290,7 +294,6 @@ next_char_internal (st_parameter_dt *dtp)
 	  generate_error (&dtp->common, LIBERROR_INTERNAL_UNIT, NULL);
 	  return '\0';
 	}
-      dtp->u.p.current_unit->bytes_left--;
     }
   else
     {
@@ -302,6 +305,7 @@ next_char_internal (st_parameter_dt *dtp)
 	  dtp->u.p.at_eof = 1;
 	}
     }
+  dtp->u.p.current_unit->bytes_left--;
 
 done:
   dtp->u.p.at_eol = (c == '\n' || c == EOF);
-- 
2.11.4.GIT