From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <redi@sourceware.org>
Received: by sourceware.org (Postfix, from userid 2181)
 id 869543840C21; Wed, 24 Jun 2020 15:02:22 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 869543840C21
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gcc.gnu.org;
 s=default; t=1593010942;
 bh=SlEcQHh+eiOlSrsGiUGxROQmxvPErGSNMXz2tOp7qlI=;
 h=From:To:Subject:Date:From;
 b=xrvE66Q+EprbixfIhfGvRho5fmMLpOOxPXac7D5seVTfiTz3spfmHqooqSIyycKhn
 h9CUGACmFvA2Yx4XkB3l3zVpF6uDZOKH/Q+7f0xG5AkMZPj7xwkRmWfgnSEHwZmEwJ
 UfasppXghbvUa3PtX6VKReWs8BDG0Y7RazBTEIgE=
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Jonathan Wakely <redi@gcc.gnu.org>
To: gcc-cvs@gcc.gnu.org, libstdc++-cvs@gcc.gnu.org
Subject: [gcc r10-8360] libstdc++: Fix std::to_chars buffer overflow (PR 95851)
X-Act-Checkin: gcc
X-Git-Author: Jonathan Wakely <jwakely@redhat.com>
X-Git-Refname: refs/heads/releases/gcc-10
X-Git-Oldrev: f3a27a610b0eb9a7ea76f61b4fecf7e66e86a3e1
X-Git-Newrev: ff5c8fe44a98025c1e700cfc033247965e293869
Message-Id: <20200624150222.869543840C21@sourceware.org>
Date: Wed, 24 Jun 2020 15:02:22 +0000 (GMT)
X-BeenThere: libstdc++-cvs@gcc.gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Libstdc++-cvs mailing list <libstdc++-cvs.gcc.gnu.org>
List-Unsubscribe: <http://gcc.gnu.org/mailman/options/libstdc++-cvs>,
 <mailto:libstdc++-cvs-request@gcc.gnu.org?subject=unsubscribe>
List-Archive: <https://gcc.gnu.org/pipermail/libstdc++-cvs/>
List-Help: <mailto:libstdc++-cvs-request@gcc.gnu.org?subject=help>
List-Subscribe: <http://gcc.gnu.org/mailman/listinfo/libstdc++-cvs>,
 <mailto:libstdc++-cvs-request@gcc.gnu.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Jun 2020 15:02:22 -0000

https://gcc.gnu.org/g:ff5c8fe44a98025c1e700cfc033247965e293869

commit r10-8360-gff5c8fe44a98025c1e700cfc033247965e293869
Author: Jonathan Wakely <jwakely@redhat.com>
Date:   Tue Jun 23 22:47:58 2020 +0100

    libstdc++: Fix std::to_chars buffer overflow (PR 95851)
    
    The __detail::__to_chars_2 function assumes it won't be called with zero
    values. However, when the output buffer is empty the caller doesn't
    handle zero values correctly, and calls __to_chars_2 with a zero value,
    resulting in an overflow of the empty buffer.
    
    The __detail::__to_chars_i function should just return immediately for
    an empty buffer, and otherwise ensure zero values are handled properly.
    
    libstdc++-v3/ChangeLog:
    
            PR libstdc++/95851
            * include/std/charconv (__to_chars_i): Check for zero-sized
            buffer unconditionally.
            * testsuite/20_util/to_chars/95851.cc: New test.
    
    (cherry picked from commit be50843754b4c4d47f0d628a84b3dbf2a4145a43)

Diff:
---
 libstdc++-v3/include/std/charconv                |  5 +++-
 libstdc++-v3/testsuite/20_util/to_chars/95851.cc | 36 ++++++++++++++++++++++++
 2 files changed, 40 insertions(+), 1 deletion(-)

diff --git a/libstdc++-v3/include/std/charconv b/libstdc++-v3/include/std/charconv
index 3caa0f8ac10..77a72d40dd0 100644
--- a/libstdc++-v3/include/std/charconv
+++ b/libstdc++-v3/include/std/charconv
@@ -327,7 +327,10 @@ namespace __detail
       using _Up = __detail::__unsigned_least_t<_Tp>;
       _Up __unsigned_val = __value;
 
-      if (__value == 0 && __first != __last)
+      if (__first == __last) [[__unlikely__]]
+	return { __last, errc::value_too_large };
+
+      if (__value == 0)
 	{
 	  *__first = '0';
 	  return { __first + 1, errc{} };
diff --git a/libstdc++-v3/testsuite/20_util/to_chars/95851.cc b/libstdc++-v3/testsuite/20_util/to_chars/95851.cc
new file mode 100644
index 00000000000..5f0daf3b30b
--- /dev/null
+++ b/libstdc++-v3/testsuite/20_util/to_chars/95851.cc
@@ -0,0 +1,36 @@
+// Copyright (C) 2020 Free Software Foundation, Inc.
+//
+// This file is part of the GNU ISO C++ Library.  This library is free
+// software; you can redistribute it and/or modify it under the
+// terms of the GNU General Public License as published by the
+// Free Software Foundation; either version 3, or (at your option)
+// any later version.
+
+// This library is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+
+// You should have received a copy of the GNU General Public License along
+// with this library; see the file COPYING3.  If not see
+// <http://www.gnu.org/licenses/>.
+
+// { dg-do run { target c++14 } }
+
+#include <charconv>
+#include <testsuite_hooks.h>
+
+void
+test01()
+{
+  char* p = nullptr;
+  auto res = std::to_chars(p, p, 0, 2); // PR libstdc++/95851
+  VERIFY( res.ptr == p );
+  VERIFY( res.ec == std::errc::value_too_large );
+}
+
+int
+main()
+{
+  test01();
+}