public inbox for gcc-bugs@sourceware.org help / color / mirror / Atom feed
* [Bug libstdc++/110862] New: format out of bands read on format string "{0:{0}"
@ 2023-07-31 15:18 gcc at pauldreik dot se
2023-08-01 1:21 ` [Bug libstdc++/110862] " hewillk at gmail dot com
` (6 more replies)
0 siblings, 7 replies; 8+ messages in thread
From: gcc at pauldreik dot se @ 2023-07-31 15:18 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110862
Bug ID: 110862
Summary: format out of bands read on format string "{0:{0}"
Product: gcc
Version: 13.2.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: libstdc++
Assignee: unassigned at gcc dot gnu.org
Reporter: gcc at pauldreik dot se
Target Milestone: ---
The following program with an incorrect format string causes an out of bounds
read when compiled with gcc 13.2:
#include <cstdio>
#include <format>
int main() {
unsigned short v = 0;
std::puts(std::vformat("{0:{0}", std::make_format_args(v)).c_str());
}
I expected an exception to be thrown.
Link to reproducer:
https://godbolt.org/z/WrqxGE1jG
^ permalink raw reply [flat|nested] 8+ messages in thread* [Bug libstdc++/110862] format out of bands read on format string "{0:{0}" 2023-07-31 15:18 [Bug libstdc++/110862] New: format out of bands read on format string "{0:{0}" gcc at pauldreik dot se @ 2023-08-01 1:21 ` hewillk at gmail dot com 2023-08-01 7:50 ` gcc at pauldreik dot se ` (5 subsequent siblings) 6 siblings, 0 replies; 8+ messages in thread From: hewillk at gmail dot com @ 2023-08-01 1:21 UTC (permalink / raw) To: gcc-bugs https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110862 康桓瑋 <hewillk at gmail dot com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |hewillk at gmail dot com --- Comment #1 from 康桓瑋 <hewillk at gmail dot com> --- It does throw: https://godbolt.org/z/5q3bb51YE ^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug libstdc++/110862] format out of bands read on format string "{0:{0}" 2023-07-31 15:18 [Bug libstdc++/110862] New: format out of bands read on format string "{0:{0}" gcc at pauldreik dot se 2023-08-01 1:21 ` [Bug libstdc++/110862] " hewillk at gmail dot com @ 2023-08-01 7:50 ` gcc at pauldreik dot se 2023-08-01 13:15 ` redi at gcc dot gnu.org ` (4 subsequent siblings) 6 siblings, 0 replies; 8+ messages in thread From: gcc at pauldreik dot se @ 2023-08-01 7:50 UTC (permalink / raw) To: gcc-bugs https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110862 --- Comment #2 from Paul Dreik <gcc at pauldreik dot se> --- (In reply to 康桓瑋 from comment #1) > It does throw: > > https://godbolt.org/z/5q3bb51YE Sorry for being unclear. Yes, it throws but that is after the out of bounds read has happened. ^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug libstdc++/110862] format out of bands read on format string "{0:{0}" 2023-07-31 15:18 [Bug libstdc++/110862] New: format out of bands read on format string "{0:{0}" gcc at pauldreik dot se 2023-08-01 1:21 ` [Bug libstdc++/110862] " hewillk at gmail dot com 2023-08-01 7:50 ` gcc at pauldreik dot se @ 2023-08-01 13:15 ` redi at gcc dot gnu.org 2023-08-03 8:04 ` [Bug libstdc++/110862] format out of bounds " redi at gcc dot gnu.org ` (3 subsequent siblings) 6 siblings, 0 replies; 8+ messages in thread From: redi at gcc dot gnu.org @ 2023-08-01 13:15 UTC (permalink / raw) To: gcc-bugs https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110862 Jonathan Wakely <redi at gcc dot gnu.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|--- |13.3 Last reconfirmed| |2023-08-01 Ever confirmed|0 |1 Assignee|unassigned at gcc dot gnu.org |redi at gcc dot gnu.org Status|UNCONFIRMED |ASSIGNED ^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug libstdc++/110862] format out of bounds read on format string "{0:{0}" 2023-07-31 15:18 [Bug libstdc++/110862] New: format out of bands read on format string "{0:{0}" gcc at pauldreik dot se ` (2 preceding siblings ...) 2023-08-01 13:15 ` redi at gcc dot gnu.org @ 2023-08-03 8:04 ` redi at gcc dot gnu.org 2023-08-07 21:12 ` cvs-commit at gcc dot gnu.org ` (2 subsequent siblings) 6 siblings, 0 replies; 8+ messages in thread From: redi at gcc dot gnu.org @ 2023-08-03 8:04 UTC (permalink / raw) To: gcc-bugs https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110862 --- Comment #3 from Jonathan Wakely <redi at gcc dot gnu.org> --- https://gcc.gnu.org/git?p=gcc.git;a=blob;f=libstdc%2B%2B-v3/include/std/format;h=9d5981e4882991cc2cbfb9353d399372030e8722;hb=refs/heads/master#l3535 needs to throw if begin()==end() || *begin() != '}' Fix incoming as soon as I have a decent WiFi signal. ^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug libstdc++/110862] format out of bounds read on format string "{0:{0}" 2023-07-31 15:18 [Bug libstdc++/110862] New: format out of bands read on format string "{0:{0}" gcc at pauldreik dot se ` (3 preceding siblings ...) 2023-08-03 8:04 ` [Bug libstdc++/110862] format out of bounds " redi at gcc dot gnu.org @ 2023-08-07 21:12 ` cvs-commit at gcc dot gnu.org 2023-08-08 16:13 ` cvs-commit at gcc dot gnu.org 2023-08-08 16:14 ` redi at gcc dot gnu.org 6 siblings, 0 replies; 8+ messages in thread From: cvs-commit at gcc dot gnu.org @ 2023-08-07 21:12 UTC (permalink / raw) To: gcc-bugs https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110862 --- Comment #4 from CVS Commits <cvs-commit at gcc dot gnu.org> --- The master branch has been updated by Jonathan Wakely <redi@gcc.gnu.org>: https://gcc.gnu.org/g:5d87f71bb462ccb78dd3d9d810ea08d96869cb4b commit r14-3066-g5d87f71bb462ccb78dd3d9d810ea08d96869cb4b Author: Jonathan Wakely <jwakely@redhat.com> Date: Thu Aug 3 08:45:43 2023 +0100 libstdc++: Fix past-the-end increment in std::format [PR110862] At the end of a replacement field we should check that the closing brace is actually present before incrementing past it. libstdc++-v3/ChangeLog: PR libstdc++/110862 * include/std/format (_Scanner::_M_on_replacement_field): Check for expected '}' before incrementing iterator. * testsuite/std/format/string.cc: Check "{0:{0}" format string. ^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug libstdc++/110862] format out of bounds read on format string "{0:{0}" 2023-07-31 15:18 [Bug libstdc++/110862] New: format out of bands read on format string "{0:{0}" gcc at pauldreik dot se ` (4 preceding siblings ...) 2023-08-07 21:12 ` cvs-commit at gcc dot gnu.org @ 2023-08-08 16:13 ` cvs-commit at gcc dot gnu.org 2023-08-08 16:14 ` redi at gcc dot gnu.org 6 siblings, 0 replies; 8+ messages in thread From: cvs-commit at gcc dot gnu.org @ 2023-08-08 16:13 UTC (permalink / raw) To: gcc-bugs https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110862 --- Comment #5 from CVS Commits <cvs-commit at gcc dot gnu.org> --- The releases/gcc-13 branch has been updated by Jonathan Wakely <redi@gcc.gnu.org>: https://gcc.gnu.org/g:55eb7e92a60adfae43aaf58bb9c81050d39d82c9 commit r13-7697-g55eb7e92a60adfae43aaf58bb9c81050d39d82c9 Author: Jonathan Wakely <jwakely@redhat.com> Date: Thu Aug 3 08:45:43 2023 +0100 libstdc++: Fix past-the-end increment in std::format [PR110862] At the end of a replacement field we should check that the closing brace is actually present before incrementing past it. libstdc++-v3/ChangeLog: PR libstdc++/110862 * include/std/format (_Scanner::_M_on_replacement_field): Check for expected '}' before incrementing iterator. * testsuite/std/format/string.cc: Check "{0:{0}" format string. (cherry picked from commit 5d87f71bb462ccb78dd3d9d810ea08d96869cb4b) ^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug libstdc++/110862] format out of bounds read on format string "{0:{0}" 2023-07-31 15:18 [Bug libstdc++/110862] New: format out of bands read on format string "{0:{0}" gcc at pauldreik dot se ` (5 preceding siblings ...) 2023-08-08 16:13 ` cvs-commit at gcc dot gnu.org @ 2023-08-08 16:14 ` redi at gcc dot gnu.org 6 siblings, 0 replies; 8+ messages in thread From: redi at gcc dot gnu.org @ 2023-08-08 16:14 UTC (permalink / raw) To: gcc-bugs https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110862 Jonathan Wakely <redi at gcc dot gnu.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution|--- |FIXED --- Comment #6 from Jonathan Wakely <redi at gcc dot gnu.org> --- Fixed for 13.3, thanks for the report. ^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2023-08-08 16:14 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-07-31 15:18 [Bug libstdc++/110862] New: format out of bands read on format string "{0:{0}" gcc at pauldreik dot se
2023-08-01 1:21 ` [Bug libstdc++/110862] " hewillk at gmail dot com
2023-08-01 7:50 ` gcc at pauldreik dot se
2023-08-01 13:15 ` redi at gcc dot gnu.org
2023-08-03 8:04 ` [Bug libstdc++/110862] format out of bounds " redi at gcc dot gnu.org
2023-08-07 21:12 ` cvs-commit at gcc dot gnu.org
2023-08-08 16:13 ` cvs-commit at gcc dot gnu.org
2023-08-08 16:14 ` redi at gcc dot gnu.org
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).