[Bug libstdc++/95851] New: [10/11 Regression] std::to

public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed

* [Bug libstdc++/95851] New: [10/11 Regression] std::to_chars(p, p, c,  2) segfault
@ 2020-06-23 21:43 redi at gcc dot gnu.org
  2020-06-23 21:44 ` [Bug libstdc++/95851] " redi at gcc dot gnu.org
                   ` (3 more replies)
  0 siblings, 4 replies; 5+ messages in thread
From: redi at gcc dot gnu.org @ 2020-06-23 21:43 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=95851

            Bug ID: 95851
           Summary: [10/11 Regression] std::to_chars(p, p, c, 2) segfault
           Product: gcc
           Version: 10.1.1
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: libstdc++
          Assignee: unassigned at gcc dot gnu.org
          Reporter: redi at gcc dot gnu.org
  Target Milestone: ---

The following has undefined behaviour, trying to write past the end of the
range:

#include <charconv>
int main()
{
  char c = 0;
  std::to_chars(&c, &c, c, 2);
}

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [Bug libstdc++/95851] [10/11 Regression] std::to_chars(p, p, c, 2) segfault
  2020-06-23 21:43 [Bug libstdc++/95851] New: [10/11 Regression] std::to_chars(p, p, c, 2) segfault redi at gcc dot gnu.org
@ 2020-06-23 21:44 ` redi at gcc dot gnu.org
  2020-06-24 11:55 ` cvs-commit at gcc dot gnu.org
                   ` (2 subsequent siblings)
  3 siblings, 0 replies; 5+ messages in thread
From: redi at gcc dot gnu.org @ 2020-06-23 21:44 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=95851

Jonathan Wakely <redi at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |ASSIGNED
           Assignee|unassigned at gcc dot gnu.org      |redi at gcc dot gnu.org
   Last reconfirmed|                            |2020-06-23
      Known to fail|                            |10.1.1, 11.0
      Known to work|                            |9.3.0
   Target Milestone|---                         |10.2
     Ever confirmed|0                           |1

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [Bug libstdc++/95851] [10/11 Regression] std::to_chars(p, p, c, 2) segfault
  2020-06-23 21:43 [Bug libstdc++/95851] New: [10/11 Regression] std::to_chars(p, p, c, 2) segfault redi at gcc dot gnu.org
  2020-06-23 21:44 ` [Bug libstdc++/95851] " redi at gcc dot gnu.org
@ 2020-06-24 11:55 ` cvs-commit at gcc dot gnu.org
  2020-06-24 15:02 ` cvs-commit at gcc dot gnu.org
  2020-06-24 16:32 ` redi at gcc dot gnu.org
  3 siblings, 0 replies; 5+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2020-06-24 11:55 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=95851

--- Comment #1 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by Jonathan Wakely <redi@gcc.gnu.org>:

https://gcc.gnu.org/g:be50843754b4c4d47f0d628a84b3dbf2a4145a43

commit r11-1624-gbe50843754b4c4d47f0d628a84b3dbf2a4145a43
Author: Jonathan Wakely <jwakely@redhat.com>
Date:   Tue Jun 23 22:47:58 2020 +0100

    libstdc++: Fix std::to_chars buffer overflow (PR 95851)

    The __detail::__to_chars_2 function assumes it won't be called with zero
    values. However, when the output buffer is empty the caller doesn't
    handle zero values correctly, and calls __to_chars_2 with a zero value,
    resulting in an overflow of the empty buffer.

    The __detail::__to_chars_i function should just return immediately for
    an empty buffer, and otherwise ensure zero values are handled properly.

    libstdc++-v3/ChangeLog:

            PR libstdc++/95851
            * include/std/charconv (__to_chars_i): Check for zero-sized
            buffer unconditionally.
            * testsuite/20_util/to_chars/95851.cc: New test.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [Bug libstdc++/95851] [10/11 Regression] std::to_chars(p, p, c, 2) segfault
  2020-06-23 21:43 [Bug libstdc++/95851] New: [10/11 Regression] std::to_chars(p, p, c, 2) segfault redi at gcc dot gnu.org
  2020-06-23 21:44 ` [Bug libstdc++/95851] " redi at gcc dot gnu.org
  2020-06-24 11:55 ` cvs-commit at gcc dot gnu.org
@ 2020-06-24 15:02 ` cvs-commit at gcc dot gnu.org
  2020-06-24 16:32 ` redi at gcc dot gnu.org
  3 siblings, 0 replies; 5+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2020-06-24 15:02 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=95851

--- Comment #2 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The releases/gcc-10 branch has been updated by Jonathan Wakely
<redi@gcc.gnu.org>:

https://gcc.gnu.org/g:ff5c8fe44a98025c1e700cfc033247965e293869

commit r10-8360-gff5c8fe44a98025c1e700cfc033247965e293869
Author: Jonathan Wakely <jwakely@redhat.com>
Date:   Tue Jun 23 22:47:58 2020 +0100

    libstdc++: Fix std::to_chars buffer overflow (PR 95851)

    The __detail::__to_chars_2 function assumes it won't be called with zero
    values. However, when the output buffer is empty the caller doesn't
    handle zero values correctly, and calls __to_chars_2 with a zero value,
    resulting in an overflow of the empty buffer.

    The __detail::__to_chars_i function should just return immediately for
    an empty buffer, and otherwise ensure zero values are handled properly.

    libstdc++-v3/ChangeLog:

            PR libstdc++/95851
            * include/std/charconv (__to_chars_i): Check for zero-sized
            buffer unconditionally.
            * testsuite/20_util/to_chars/95851.cc: New test.

    (cherry picked from commit be50843754b4c4d47f0d628a84b3dbf2a4145a43)

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [Bug libstdc++/95851] [10/11 Regression] std::to_chars(p, p, c, 2) segfault
  2020-06-23 21:43 [Bug libstdc++/95851] New: [10/11 Regression] std::to_chars(p, p, c, 2) segfault redi at gcc dot gnu.org
                   ` (2 preceding siblings ...)
  2020-06-24 15:02 ` cvs-commit at gcc dot gnu.org
@ 2020-06-24 16:32 ` redi at gcc dot gnu.org
  3 siblings, 0 replies; 5+ messages in thread
From: redi at gcc dot gnu.org @ 2020-06-24 16:32 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=95851

Jonathan Wakely <redi at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
         Resolution|---                         |FIXED

--- Comment #3 from Jonathan Wakely <redi at gcc dot gnu.org> ---
Fixed for 10.2

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2020-06-24 16:32 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-06-23 21:43 [Bug libstdc++/95851] New: [10/11 Regression] std::to_chars(p, p, c, 2) segfault redi at gcc dot gnu.org
2020-06-23 21:44 ` [Bug libstdc++/95851] " redi at gcc dot gnu.org
2020-06-24 11:55 ` cvs-commit at gcc dot gnu.org
2020-06-24 15:02 ` cvs-commit at gcc dot gnu.org
2020-06-24 16:32 ` redi at gcc dot gnu.org

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).