https://gcc.gnu.org/g:ff2f6c5153ecc142e1821a26b4a5184b4fe30607
commit r16-7577-gff2f6c5153ecc142e1821a26b4a5184b4fe30607 Author: Jerry DeLisle <[email protected]> Date: Wed Feb 18 16:19:26 2026 -0800 Fortran: Fix heap-use-after-free This fix stops freeing the current BLOCK namespace during malformed END error recovery. It now lets normal block unwinding/cleanup handle the free, preventing the heap-use-after-free. Suggested-by: Jakub Jelinek <[email protected]> Signed-off-by: Christopher Albert <[email protected]> PR fortran/122491 gcc/fortran/ChangeLog: * decl.cc (gfc_match_end): Do not free current BLOCK namespace during malformed END cleanup. Diff: --- gcc/fortran/decl.cc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/gcc/fortran/decl.cc b/gcc/fortran/decl.cc index cb6bd6f8cc05..b51285805484 100644 --- a/gcc/fortran/decl.cc +++ b/gcc/fortran/decl.cc @@ -9267,7 +9267,8 @@ cleanup: ns = ns->sibling; } - gfc_free_namespace (gfc_current_ns); + /* The namespace can still be referenced by parser state and code nodes; + let normal block unwinding/freeing own its lifetime. */ gfc_current_ns = parent_ns; gfc_state_stack = gfc_state_stack->previous; state = gfc_current_state ();
