From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 7615 invoked by alias); 2 Feb 2003 11:56:00 -0000 Mailing-List: contact gcc-prs-help@gcc.gnu.org; run by ezmlm Precedence: bulk List-Archive: List-Post: List-Help: Sender: gcc-prs-owner@gcc.gnu.org Received: (qmail 7596 invoked by uid 71); 2 Feb 2003 11:56:00 -0000 Resent-Date: 2 Feb 2003 11:56:00 -0000 Resent-Message-ID: <20030202115600.7595.qmail@sources.redhat.com> Resent-From: gcc-gnats@gcc.gnu.org (GNATS Filer) Resent-Cc: gcc-prs@gcc.gnu.org, gcc-bugs@gcc.gnu.org Resent-Reply-To: gcc-gnats@gcc.gnu.org, peturr02@ru.is Received: (qmail 2548 invoked by uid 48); 2 Feb 2003 11:47:44 -0000 Message-Id: <20030202114744.2547.qmail@sources.redhat.com> Date: Sun, 02 Feb 2003 11:56:00 -0000 From: peturr02@ru.is Reply-To: peturr02@ru.is To: gcc-gnats@gcc.gnu.org X-Send-Pr-Version: gnatsweb-2.9.3 (1.1.1.1.2.31) Subject: libstdc++/9538: Out-of-bounds memory access in streambuf::sputbackc X-SW-Source: 2003-02/txt/msg00044.txt.bz2 List-Id: >Number: 9538 >Category: libstdc++ >Synopsis: Out-of-bounds memory access in streambuf::sputbackc >Confidential: no >Severity: serious >Priority: medium >Responsible: unassigned >State: open >Class: sw-bug >Submitter-Id: net >Arrival-Date: Sun Feb 02 11:56:00 UTC 2003 >Closed-Date: >Last-Modified: >Originator: peturr02@ru.is >Release: gcc-3.2.1 >Organization: >Environment: Red Hat Linux 8.0 >Description: basic_streambuf<>::sputbackc accesses gptr()[-1] without first checking if gptr() > eback(). This can be a fatal error if (gptr() - 1) is not a valid address or if char_type is a class type. >How-To-Repeat: See attachment. >Fix: >Release-Note: >Audit-Trail: >Unformatted: ----gnatsweb-attachment---- Content-Type: text/plain; name="sputbackcbug2.cc" Content-Disposition: inline; filename="sputbackcbug2.cc" #include #undef NDEBUG #include using namespace std; class MyTraits : public char_traits { public: static bool eq(char c1, char c2) { assert(c1 >= 0); assert(c2 >= 0); return char_traits::eq(c1, c2); } }; class MyBuf : public basic_streambuf { char buffer[8]; public: MyBuf() { memset(buffer, -1, sizeof(buffer)); memset(buffer + 2, 0, 4); setg(buffer + 2, buffer + 2, buffer + 6); } }; int main() { MyBuf mb; mb.sputbackc(0); return 0; }