From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gcc-bugzilla@gcc.gnu.org>
Received: by sourceware.org (Postfix, from userid 48)
	id DE83A3858D20; Tue,  8 Aug 2023 16:13:20 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org DE83A3858D20
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gcc.gnu.org;
	s=default; t=1691511200;
	bh=ROotCtKjyYMqlvGHwoB7DZbB4EAvHF/EfAas4fuBk+0=;
	h=From:To:Subject:Date:In-Reply-To:References:From;
	b=xbeYq2o1rCIEVZDi6JKFpQHWCBBJz3ED9wd1uoICeS1W08AICJcnKinYUtKG3g7FS
	 d2kJRTDjgJabcoqt6dRlNqDOlE3gUc+MCKEkhe4zQNzkwUcxTJDOM2nolC+7fwntW5
	 25GFWNGr0A3KfVommAJqAGJR6j+cKqtOCeZCRH9E=
From: "cvs-commit at gcc dot gnu.org" <gcc-bugzilla@gcc.gnu.org>
To: gcc-bugs@gcc.gnu.org
Subject: [Bug libstdc++/110862] format out of bounds read on format string
 "{0:{0}"
Date: Tue, 08 Aug 2023 16:13:20 +0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: gcc
X-Bugzilla-Component: libstdc++
X-Bugzilla-Version: 13.2.0
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: normal
X-Bugzilla-Who: cvs-commit at gcc dot gnu.org
X-Bugzilla-Status: ASSIGNED
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: P3
X-Bugzilla-Assigned-To: redi at gcc dot gnu.org
X-Bugzilla-Target-Milestone: 13.3
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: 
Message-ID: <bug-110862-4-OqtfxfdmO5@http.gcc.gnu.org/bugzilla/>
In-Reply-To: <bug-110862-4@http.gcc.gnu.org/bugzilla/>
References: <bug-110862-4@http.gcc.gnu.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
List-Id: <gcc-bugs.sourceware.org>

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D110862

--- Comment #5 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The releases/gcc-13 branch has been updated by Jonathan Wakely
<redi@gcc.gnu.org>:

https://gcc.gnu.org/g:55eb7e92a60adfae43aaf58bb9c81050d39d82c9

commit r13-7697-g55eb7e92a60adfae43aaf58bb9c81050d39d82c9
Author: Jonathan Wakely <jwakely@redhat.com>
Date:   Thu Aug 3 08:45:43 2023 +0100

    libstdc++: Fix past-the-end increment in std::format [PR110862]

    At the end of a replacement field we should check that the closing brace
    is actually present before incrementing past it.

    libstdc++-v3/ChangeLog:

            PR libstdc++/110862
            * include/std/format (_Scanner::_M_on_replacement_field):
            Check for expected '}' before incrementing iterator.
            * testsuite/std/format/string.cc: Check "{0:{0}" format string.

    (cherry picked from commit 5d87f71bb462ccb78dd3d9d810ea08d96869cb4b)=