>Number: 7422 >Category: libstdc++ >Synopsis: strstreambuf frees buffer when beeing in frozen state >Confidential: no >Severity: serious >Priority: medium >Responsible: unassigned >State: open >Class: sw-bug >Submitter-Id: net >Arrival-Date: Sun Jul 28 04:06:00 PDT 2002 >Closed-Date: >Last-Modified: >Originator: Robert Schiele >Release: 3.1.1 >Organization: >Environment: System: independent Architecture: independent host: independent build: independent target: independent Configured with: /home/schiele/gcccvs/gcc-3.1.1/configure --enable-threads=posix --prefix=/opt/Pkg/Linux/i686/gcc311 --enable-languages=c,c++,f77,objc --disable-libgcj --with-gxx-include-dir=/opt/Pkg/Linux/i686/gcc311/include/g++ --with-system-zlib --enable-shared --enable-__cxa_atexit i486-suse-linux >Description: The attached sample program shows that strstreambuf frees his buffer also he was forced to frozen mode by calling the str() method. Because of that the generated string can be overwritten by code that reallocates this memory. This is a regression to gcc 3.1! I have not checked that, but possibly this is related to http://gcc.gnu.org/ml/gcc-patches/2002-05/msg01204.html and/or http://gcc.gnu.org/ml/libstdc++/2002-06/msg00089.html. >How-To-Repeat: # g++ -o strstreambug strstreambug.cc [header warning] # ./strstreambug s(0x804a118):Text s(0x804a118):ñòóôõö÷øùúûüýþÿ should be (gcc-3.1): # ./strstreambug s(0x804a118):Text s(0x804a118):Text >Fix: >Release-Note: >Audit-Trail: >Unformatted: ----gnatsweb-attachment---- Content-Type: text/x-c++src; name="strstreambug.cc" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="strstreambug.cc" I2luY2x1ZGUgPHN0cnN0cmVhbT4KI2luY2x1ZGUgPGlvc3RyZWFtPgoKaW50IG1haW4oKSB7CiAg ICBjaGFyKiBzOwogICAgewoJc3RkOjpvc3Ryc3RyZWFtIHQ7CgkKCXQgPDwgIlRleHQiIDw8IHN0 ZDo6ZW5kczsKCXMgPSB0LnN0cigpOwoJc3RkOjpjb3V0IDw8ICJzKCIgPDwgKHZvaWQqKXMgPDwg Iik6IiA8PCBzIDw8IHN0ZDo6ZW5kbDsKICAgIH0KICAgIGNoYXIqIGEgPSBuZXcgY2hhclsxNl07 CiAgICBmb3IgKGludCBqID0gMDsgaiA8IDE2OyArK2opCglhW2pdID0gMjQxICsgajsKICAgIHN0 ZDo6Y291dCA8PCAicygiIDw8ICh2b2lkKilzIDw8ICIpOiIgPDwgcyA8PCBzdGQ6OmVuZGw7Cn0K