public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug libstdc++/110862] New: format out of bands read on format string "{0:{0}"
@ 2023-07-31 15:18 gcc at pauldreik dot se
2023-08-01 1:21 ` [Bug libstdc++/110862] " hewillk at gmail dot com
` (6 more replies)
0 siblings, 7 replies; 8+ messages in thread
From: gcc at pauldreik dot se @ 2023-07-31 15:18 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110862
Bug ID: 110862
Summary: format out of bands read on format string "{0:{0}"
Product: gcc
Version: 13.2.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: libstdc++
Assignee: unassigned at gcc dot gnu.org
Reporter: gcc at pauldreik dot se
Target Milestone: ---
The following program with an incorrect format string causes an out of bounds
read when compiled with gcc 13.2:
#include <cstdio>
#include <format>
int main() {
unsigned short v = 0;
std::puts(std::vformat("{0:{0}", std::make_format_args(v)).c_str());
}
I expected an exception to be thrown.
Link to reproducer:
https://godbolt.org/z/WrqxGE1jG
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug libstdc++/110862] format out of bands read on format string "{0:{0}"
2023-07-31 15:18 [Bug libstdc++/110862] New: format out of bands read on format string "{0:{0}" gcc at pauldreik dot se
@ 2023-08-01 1:21 ` hewillk at gmail dot com
2023-08-01 7:50 ` gcc at pauldreik dot se
` (5 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: hewillk at gmail dot com @ 2023-08-01 1:21 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110862
康桓瑋 <hewillk at gmail dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |hewillk at gmail dot com
--- Comment #1 from 康桓瑋 <hewillk at gmail dot com> ---
It does throw:
https://godbolt.org/z/5q3bb51YE
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug libstdc++/110862] format out of bands read on format string "{0:{0}"
2023-07-31 15:18 [Bug libstdc++/110862] New: format out of bands read on format string "{0:{0}" gcc at pauldreik dot se
2023-08-01 1:21 ` [Bug libstdc++/110862] " hewillk at gmail dot com
@ 2023-08-01 7:50 ` gcc at pauldreik dot se
2023-08-01 13:15 ` redi at gcc dot gnu.org
` (4 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: gcc at pauldreik dot se @ 2023-08-01 7:50 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110862
--- Comment #2 from Paul Dreik <gcc at pauldreik dot se> ---
(In reply to 康桓瑋 from comment #1)
> It does throw:
>
> https://godbolt.org/z/5q3bb51YE
Sorry for being unclear. Yes, it throws but that is after the out of bounds
read has happened.
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug libstdc++/110862] format out of bands read on format string "{0:{0}"
2023-07-31 15:18 [Bug libstdc++/110862] New: format out of bands read on format string "{0:{0}" gcc at pauldreik dot se
2023-08-01 1:21 ` [Bug libstdc++/110862] " hewillk at gmail dot com
2023-08-01 7:50 ` gcc at pauldreik dot se
@ 2023-08-01 13:15 ` redi at gcc dot gnu.org
2023-08-03 8:04 ` [Bug libstdc++/110862] format out of bounds " redi at gcc dot gnu.org
` (3 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: redi at gcc dot gnu.org @ 2023-08-01 13:15 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110862
Jonathan Wakely <redi at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Target Milestone|--- |13.3
Last reconfirmed| |2023-08-01
Ever confirmed|0 |1
Assignee|unassigned at gcc dot gnu.org |redi at gcc dot gnu.org
Status|UNCONFIRMED |ASSIGNED
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug libstdc++/110862] format out of bounds read on format string "{0:{0}"
2023-07-31 15:18 [Bug libstdc++/110862] New: format out of bands read on format string "{0:{0}" gcc at pauldreik dot se
` (2 preceding siblings ...)
2023-08-01 13:15 ` redi at gcc dot gnu.org
@ 2023-08-03 8:04 ` redi at gcc dot gnu.org
2023-08-07 21:12 ` cvs-commit at gcc dot gnu.org
` (2 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: redi at gcc dot gnu.org @ 2023-08-03 8:04 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110862
--- Comment #3 from Jonathan Wakely <redi at gcc dot gnu.org> ---
https://gcc.gnu.org/git?p=gcc.git;a=blob;f=libstdc%2B%2B-v3/include/std/format;h=9d5981e4882991cc2cbfb9353d399372030e8722;hb=refs/heads/master#l3535
needs to throw if begin()==end() || *begin() != '}'
Fix incoming as soon as I have a decent WiFi signal.
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug libstdc++/110862] format out of bounds read on format string "{0:{0}"
2023-07-31 15:18 [Bug libstdc++/110862] New: format out of bands read on format string "{0:{0}" gcc at pauldreik dot se
` (3 preceding siblings ...)
2023-08-03 8:04 ` [Bug libstdc++/110862] format out of bounds " redi at gcc dot gnu.org
@ 2023-08-07 21:12 ` cvs-commit at gcc dot gnu.org
2023-08-08 16:13 ` cvs-commit at gcc dot gnu.org
2023-08-08 16:14 ` redi at gcc dot gnu.org
6 siblings, 0 replies; 8+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2023-08-07 21:12 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110862
--- Comment #4 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by Jonathan Wakely <redi@gcc.gnu.org>:
https://gcc.gnu.org/g:5d87f71bb462ccb78dd3d9d810ea08d96869cb4b
commit r14-3066-g5d87f71bb462ccb78dd3d9d810ea08d96869cb4b
Author: Jonathan Wakely <jwakely@redhat.com>
Date: Thu Aug 3 08:45:43 2023 +0100
libstdc++: Fix past-the-end increment in std::format [PR110862]
At the end of a replacement field we should check that the closing brace
is actually present before incrementing past it.
libstdc++-v3/ChangeLog:
PR libstdc++/110862
* include/std/format (_Scanner::_M_on_replacement_field):
Check for expected '}' before incrementing iterator.
* testsuite/std/format/string.cc: Check "{0:{0}" format string.
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug libstdc++/110862] format out of bounds read on format string "{0:{0}"
2023-07-31 15:18 [Bug libstdc++/110862] New: format out of bands read on format string "{0:{0}" gcc at pauldreik dot se
` (4 preceding siblings ...)
2023-08-07 21:12 ` cvs-commit at gcc dot gnu.org
@ 2023-08-08 16:13 ` cvs-commit at gcc dot gnu.org
2023-08-08 16:14 ` redi at gcc dot gnu.org
6 siblings, 0 replies; 8+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2023-08-08 16:13 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110862
--- Comment #5 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The releases/gcc-13 branch has been updated by Jonathan Wakely
<redi@gcc.gnu.org>:
https://gcc.gnu.org/g:55eb7e92a60adfae43aaf58bb9c81050d39d82c9
commit r13-7697-g55eb7e92a60adfae43aaf58bb9c81050d39d82c9
Author: Jonathan Wakely <jwakely@redhat.com>
Date: Thu Aug 3 08:45:43 2023 +0100
libstdc++: Fix past-the-end increment in std::format [PR110862]
At the end of a replacement field we should check that the closing brace
is actually present before incrementing past it.
libstdc++-v3/ChangeLog:
PR libstdc++/110862
* include/std/format (_Scanner::_M_on_replacement_field):
Check for expected '}' before incrementing iterator.
* testsuite/std/format/string.cc: Check "{0:{0}" format string.
(cherry picked from commit 5d87f71bb462ccb78dd3d9d810ea08d96869cb4b)
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug libstdc++/110862] format out of bounds read on format string "{0:{0}"
2023-07-31 15:18 [Bug libstdc++/110862] New: format out of bands read on format string "{0:{0}" gcc at pauldreik dot se
` (5 preceding siblings ...)
2023-08-08 16:13 ` cvs-commit at gcc dot gnu.org
@ 2023-08-08 16:14 ` redi at gcc dot gnu.org
6 siblings, 0 replies; 8+ messages in thread
From: redi at gcc dot gnu.org @ 2023-08-08 16:14 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110862
Jonathan Wakely <redi at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|ASSIGNED |RESOLVED
Resolution|--- |FIXED
--- Comment #6 from Jonathan Wakely <redi at gcc dot gnu.org> ---
Fixed for 13.3, thanks for the report.
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2023-08-08 16:14 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-07-31 15:18 [Bug libstdc++/110862] New: format out of bands read on format string "{0:{0}" gcc at pauldreik dot se
2023-08-01 1:21 ` [Bug libstdc++/110862] " hewillk at gmail dot com
2023-08-01 7:50 ` gcc at pauldreik dot se
2023-08-01 13:15 ` redi at gcc dot gnu.org
2023-08-03 8:04 ` [Bug libstdc++/110862] format out of bounds " redi at gcc dot gnu.org
2023-08-07 21:12 ` cvs-commit at gcc dot gnu.org
2023-08-08 16:13 ` cvs-commit at gcc dot gnu.org
2023-08-08 16:14 ` redi at gcc dot gnu.org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).