From fa9795406d4f6579d95e1333bde27cf437023fe4 Mon Sep 17 00:00:00 2001
From: herman ten brugge <hermantenbrugge@home.nl>
Date: Thu, 7 Aug 2025 11:32:09 +0200
Subject: [PATCH] Do not read past array end in struct return

---
 tccgen.c                              | 15 ++++++++++-----
 tests/tests2/121_struct_return.c      | 18 ++++++++++++++++++
 tests/tests2/121_struct_return.expect |  1 +
 3 files changed, 29 insertions(+), 5 deletions(-)

diff --git a/tccgen.c b/tccgen.c
index 145d88de..c85db9ee 100644
--- a/tccgen.c
+++ b/tccgen.c
@@ -6706,11 +6706,16 @@ static void gfunc_return(CType *func_type)
             /* returning structure packed into registers */
             int size, addr, align, rc, n;
             size = type_size(func_type,&align);
-            if ((align & (ret_align - 1))
-                && ((vtop->r & VT_VALMASK) < VT_CONST /* pointer to struct */
-                    || (vtop->c.i & (ret_align - 1))
-                    )) {
-                loc = (loc - size) & -ret_align;
+            if (ret_nregs * regsize > size ||
+		((align & (ret_align - 1))
+                 && ((vtop->r & VT_VALMASK) < VT_CONST /* pointer to struct */
+                     || (vtop->c.i & (ret_align - 1))
+                     ))) {
+		if (ret_nregs * regsize > size)
+		    size = ret_nregs * regsize;
+		if (ret_align > align)
+		    align = ret_align;
+                loc = (loc - size) & -align;
                 addr = loc;
                 type = *func_type;
                 vset(&type, VT_LOCAL | VT_LVAL, addr);
diff --git a/tests/tests2/121_struct_return.c b/tests/tests2/121_struct_return.c
index 147761b1..6a1a1ec9 100644
--- a/tests/tests2/121_struct_return.c
+++ b/tests/tests2/121_struct_return.c
@@ -6,6 +6,10 @@ typedef struct {
     double d2;
 } Node;
 
+typedef struct {
+    int a, b, c;
+} A;
+
 Node init(Node self) {
     self.data[0] = 0;
     self.data[1] = 1;
@@ -25,11 +29,25 @@ void print_data(Node data) {
             data.d1, data.d2);
 }
 
+A test(void)
+{
+    int i;
+    A arr[30];
+
+    for (i = 0; i < 30; i++)
+        arr[i].b = i;
+    return arr[29];
+}
+
 int main(void) {
     /* This code resulted in a bounds checking error */
     Node data;
+    A a;
     dummy (data);
     char val;
     data = init (data);
     print_data(data);
+    a = test();
+    printf("%d\n", a.b);
+    return 0;
 }
diff --git a/tests/tests2/121_struct_return.expect b/tests/tests2/121_struct_return.expect
index fa68b11d..4141962e 100644
--- a/tests/tests2/121_struct_return.expect
+++ b/tests/tests2/121_struct_return.expect
@@ -1 +1,2 @@
 0 1 2 3 1234 2345
+29