public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug libstdc++/28759] New: stringbuf writes beyond external buffer given via pubsetbuf()
@ 2006-08-17 0:53 ngiff at yahoo dot com
2006-08-17 1:08 ` [Bug libstdc++/28759] " pcarlini at suse dot de
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: ngiff at yahoo dot com @ 2006-08-17 0:53 UTC (permalink / raw)
To: gcc-bugs
$ gcc -v
Reading specs from /usr/lib/gcc/i386-redhat-linux/3.4.5/specs
Configured with: ../configure --prefix=/usr --mandir=/usr/share/man
--infodir=/usr/share/info --enable-shared --enable-threads=posix
--disable-checking --with-system-zlib --enable-__cxa_atexit
--disable-libunwind-exceptions --enable-java-awt=gtk --host=i386-redhat-linux
Thread model: posix
gcc version 3.4.5 20051201 (Red Hat 3.4.5-2)
$ uname -a
Linux localhost.localdomain 2.6.9-34.0.1.EL #1 Wed May 24 07:40:56 CDT 2006
i686 i686 i386 GNU/Linux
I encounter this bug when using ostringstream with an external buffer.
When an external buffer is given to pubsetbuf(), it is copied into the internal
buffer (_M_string). (The code comments in sstream indicate that it thinks it's
destroying the buffer, but it's not.) If the size of the external buffer is <=
115, everything is fine. Above that, the internal buffer allocates additional
storage in 128 byte increments (227, 355, ...), which increases its capacity()
beyond its size(). The second step of pubsetbuf() calls _M_sync() to set up
the put/get pointers. However, setp() is then called with the external buffer
pointer as the first argument (correct) and ((buffer pointer) +
_M_string.capacity()) as the second (incorrect). This capacity() is greater
than the size of the external buffer, so the end put pointer points well past
the end of the external buffer.
In the following example, a size of 116 is given to pubsetbuf(). However, the
capacity of the internal buffer is 227. 227 'x' chars get written into the
external buffer.
#include <iostream>
#include <sstream>
using namespace std;
int main() {
ostringstream oss;
char *buf = new char[256];
memset(buf, 0, sizeof(buf));
oss.rdbuf()->pubsetbuf(buf, 116);
cout << "INTERAL BUFF SIZE " << oss.str().size() << " " <<
oss.str().capacity() << endl;
for (int i=0; i<1000; i++)
{
oss << "x";
}
oss.rdbuf()->pubsetbuf(0, 0);
cout << "EXTNERAL BUFF SIZE " << strlen(buf) << endl;
}
Let me know if I can provide any other info...
Nick
--
Summary: stringbuf writes beyond external buffer given via
pubsetbuf()
Product: gcc
Version: 3.4.5
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: libstdc++
AssignedTo: unassigned at gcc dot gnu dot org
ReportedBy: ngiff at yahoo dot com
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=28759
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug libstdc++/28759] stringbuf writes beyond external buffer given via pubsetbuf()
2006-08-17 0:53 [Bug libstdc++/28759] New: stringbuf writes beyond external buffer given via pubsetbuf() ngiff at yahoo dot com
@ 2006-08-17 1:08 ` pcarlini at suse dot de
2006-08-17 1:11 ` pinskia at gcc dot gnu dot org
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: pcarlini at suse dot de @ 2006-08-17 1:08 UTC (permalink / raw)
To: gcc-bugs
------- Comment #1 from pcarlini at suse dot de 2006-08-17 01:07 -------
Fixed already for gcc4.0.0 with the below: time to update your compiler, the
3.4.x branch is old and not maintained anymore...
2004-10-06 Paolo Carlini <pcarlini@suse.de>
* include/std/std_sstream.h (_M_sync): When the caller is
setbuf, don't trust _M_string.capacity() to be the size of
the buffer area, use _M_string.size() in this case.
* testsuite/27_io/basic_stringbuf/setbuf/char/4.cc: New.
* testsuite/27_io/basic_stringbuf/setbuf/wchar_t/4.cc: Likewise.
--
pcarlini at suse dot de changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |RESOLVED
Known to work| |4.0.0
Resolution| |WORKSFORME
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=28759
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug libstdc++/28759] stringbuf writes beyond external buffer given via pubsetbuf()
2006-08-17 0:53 [Bug libstdc++/28759] New: stringbuf writes beyond external buffer given via pubsetbuf() ngiff at yahoo dot com
2006-08-17 1:08 ` [Bug libstdc++/28759] " pcarlini at suse dot de
@ 2006-08-17 1:11 ` pinskia at gcc dot gnu dot org
2006-08-17 6:56 ` ngiff at yahoo dot com
2006-08-18 2:52 ` ngiff at yahoo dot com
3 siblings, 0 replies; 5+ messages in thread
From: pinskia at gcc dot gnu dot org @ 2006-08-17 1:11 UTC (permalink / raw)
To: gcc-bugs
------- Comment #2 from pinskia at gcc dot gnu dot org 2006-08-17 01:11 -------
The other thing is that sizeof(buf) will get you sizeof(char*) which is most
likely not what you wantted anyways.
--
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=28759
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug libstdc++/28759] stringbuf writes beyond external buffer given via pubsetbuf()
2006-08-17 0:53 [Bug libstdc++/28759] New: stringbuf writes beyond external buffer given via pubsetbuf() ngiff at yahoo dot com
2006-08-17 1:08 ` [Bug libstdc++/28759] " pcarlini at suse dot de
2006-08-17 1:11 ` pinskia at gcc dot gnu dot org
@ 2006-08-17 6:56 ` ngiff at yahoo dot com
2006-08-18 2:52 ` ngiff at yahoo dot com
3 siblings, 0 replies; 5+ messages in thread
From: ngiff at yahoo dot com @ 2006-08-17 6:56 UTC (permalink / raw)
To: gcc-bugs
------- Comment #3 from ngiff at yahoo dot com 2006-08-17 06:55 -------
Sorry. I did not know that 3.4 was no longer supported. I wondered if
upgrading to gcc4 would fix it, but was trying to stay in sync with the rest of
my group. But it sounds like upgrading is something we should all do.
Thanks for the prompt response!
Nick
--
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=28759
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug libstdc++/28759] stringbuf writes beyond external buffer given via pubsetbuf()
2006-08-17 0:53 [Bug libstdc++/28759] New: stringbuf writes beyond external buffer given via pubsetbuf() ngiff at yahoo dot com
` (2 preceding siblings ...)
2006-08-17 6:56 ` ngiff at yahoo dot com
@ 2006-08-18 2:52 ` ngiff at yahoo dot com
3 siblings, 0 replies; 5+ messages in thread
From: ngiff at yahoo dot com @ 2006-08-18 2:52 UTC (permalink / raw)
To: gcc-bugs
------- Comment #4 from ngiff at yahoo dot com 2006-08-18 02:52 -------
i guess i'm supposed to verify/close this...
--
ngiff at yahoo dot com changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |VERIFIED
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=28759
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2006-08-18 2:52 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2006-08-17 0:53 [Bug libstdc++/28759] New: stringbuf writes beyond external buffer given via pubsetbuf() ngiff at yahoo dot com
2006-08-17 1:08 ` [Bug libstdc++/28759] " pcarlini at suse dot de
2006-08-17 1:11 ` pinskia at gcc dot gnu dot org
2006-08-17 6:56 ` ngiff at yahoo dot com
2006-08-18 2:52 ` ngiff at yahoo dot com
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).