From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 2100) id 2D4BB384C005; Tue, 18 Aug 2020 01:32:06 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 2D4BB384C005 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gcc.gnu.org; s=default; t=1597714326; bh=JgoEkl1RMrgkikfvolBP/0wJcsXF77HVu8zwIFAYmHg=; h=From:To:Subject:Date:From; b=V0YenSyAP/je8NkMctKqnzqriD3T4JyknHCH0bTLAG6xvWVAhkGgjxc5EtND4TTQW G0FMgPhqMbk/O2cjjVGWhha/h1o2sSjTL+HTuLZakVmLQysXTF2Hc9EKZYV7Z3mGzH 3CgeoRDkObsgNFmeNLbo+wlTNrRbuhk+EPAnOEAE= Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: Giuliano Belinassi To: gcc-cvs@gcc.gnu.org, libstdc++-cvs@gcc.gnu.org Subject: [gcc(refs/users/giulianob/heads/autopar_rebase2)] libstdc++: Adjust overflow prevention to operator>> X-Act-Checkin: gcc X-Git-Author: Jonathan Wakely X-Git-Refname: refs/users/giulianob/heads/autopar_rebase2 X-Git-Oldrev: 43f5831006277036b07a9c4637d092e0c3d32ceb X-Git-Newrev: da3d64a7cde5326c90319eb686f322213d32165b Message-Id: <20200818013206.2D4BB384C005@sourceware.org> Date: Tue, 18 Aug 2020 01:32:06 +0000 (GMT) X-BeenThere: libstdc++-cvs@gcc.gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libstdc++-cvs mailing list List-Unsubscribe: , List-Archive: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Aug 2020 01:32:06 -0000 https://gcc.gnu.org/g:da3d64a7cde5326c90319eb686f322213d32165b commit da3d64a7cde5326c90319eb686f322213d32165b Author: Jonathan Wakely Date: Thu Aug 6 16:16:33 2020 +0100 libstdc++: Adjust overflow prevention to operator>> This adjusts the overflow prevention added to operator>> so that we can distinguish "unknown size" from "zero size", and avoid writing anything at all in to zero sized buffers. This also removes the incorrect comment saying extraction stops at a null byte. libstdc++-v3/ChangeLog: * include/std/istream (operator>>(istream&, char*)): Add attributes to get warnings for pointers that are null or known to point to the end of a buffer. Request upper bound from __builtin_object_size check and handle zero-sized buffer case. (operator>>(istream&, signed char)) (operator>>(istream&, unsigned char*)): Add attributes. * testsuite/27_io/basic_istream/extractors_character/char/overflow.cc: Check extracting into the middle of a buffer. * testsuite/27_io/basic_istream/extractors_character/wchar_t/overflow.cc: New test. Diff: --- libstdc++-v3/include/std/istream | 26 +++++++--- .../extractors_character/char/overflow.cc | 21 ++++++-- .../extractors_character/wchar_t/overflow.cc | 57 ++++++++++++++++++++++ 3 files changed, 94 insertions(+), 10 deletions(-) diff --git a/libstdc++-v3/include/std/istream b/libstdc++-v3/include/std/istream index cb8e9f87c90..20a455a0ef1 100644 --- a/libstdc++-v3/include/std/istream +++ b/libstdc++-v3/include/std/istream @@ -790,7 +790,6 @@ _GLIBCXX_BEGIN_NAMESPACE_VERSION * - `n - 1` characters are stored * - EOF is reached * - the next character is whitespace according to the current locale - * - the next character is a null byte (i.e., `charT()`) * * `width(0)` is then called for the input stream. * @@ -799,25 +798,38 @@ _GLIBCXX_BEGIN_NAMESPACE_VERSION #if __cplusplus <= 201703L template + __attribute__((__nonnull__(2), __access__(__write_only__, 2))) inline basic_istream<_CharT, _Traits>& operator>>(basic_istream<_CharT, _Traits>& __in, _CharT* __s) { - streamsize __n = __builtin_object_size(__s, 2) / sizeof(_CharT); - if (__n == 0) - __n = __gnu_cxx::__numeric_traits::__max / sizeof(_CharT); - std::__istream_extract(__in, __s, __n); + size_t __n = __builtin_object_size(__s, 0); + if (__builtin_expect(__n < sizeof(_CharT), false)) + { + // There is not even space for the required null terminator. + __glibcxx_assert(__n >= sizeof(_CharT)); + __in.width(0); + __in.setstate(ios_base::failbit); + } + else + { + if (__n == (size_t)-1) + __n = __gnu_cxx::__numeric_traits::__max; + std::__istream_extract(__in, __s, __n / sizeof(_CharT)); + } return __in; } template + __attribute__((__nonnull__(2), __access__(__write_only__, 2))) inline basic_istream& operator>>(basic_istream& __in, unsigned char* __s) - { return (__in >> reinterpret_cast(__s)); } + { return __in >> reinterpret_cast(__s); } template + __attribute__((__nonnull__(2), __access__(__write_only__, 2))) inline basic_istream& operator>>(basic_istream& __in, signed char* __s) - { return (__in >> reinterpret_cast(__s)); } + { return __in >> reinterpret_cast(__s); } #else // _GLIBCXX_RESOLVE_LIB_DEFECTS // 2499. operator>>(istream&, char*) makes it hard to avoid buffer overflows diff --git a/libstdc++-v3/testsuite/27_io/basic_istream/extractors_character/char/overflow.cc b/libstdc++-v3/testsuite/27_io/basic_istream/extractors_character/char/overflow.cc index 1141a41b208..abbba8bb09b 100644 --- a/libstdc++-v3/testsuite/27_io/basic_istream/extractors_character/char/overflow.cc +++ b/libstdc++-v3/testsuite/27_io/basic_istream/extractors_character/char/overflow.cc @@ -15,14 +15,14 @@ // with this library; see the file COPYING3. If not see // . -// { dg-options "-O2 -std=gnu++98" } +// { dg-options "-O2" } // { dg-do run } // This test checks that operator>> will avoid a buffer overflow when // reading into a buffer with a size that is known at compile time. // Since C++20 this is guaranteed (see LWG 2499), for previous standards -// we try to check the buffer size as an extension (which depends on -O2). +// checking the buffer size is an extension and depends on optimisation. #include #include @@ -30,11 +30,24 @@ void test01() { - std::istringstream in("foolish child"); + std::istringstream in("foolishly"); char pc[5]; in >> pc; VERIFY( in.good() ); VERIFY( std::string(pc) == "fool" ); + +#if __cplusplus <= 201703L + char* p = pc + 1; + in >> p; + VERIFY( in.good() ); + VERIFY( std::string(pc) == "fish" ); + + p = pc + 4; + *p = '#'; + in >> p; + VERIFY( in.fail() ); // if no characters are extracted, failbit is set + VERIFY( *p == '\0' ); +#endif } void @@ -61,4 +74,6 @@ int main() { test01(); + test02(); + test03(); } diff --git a/libstdc++-v3/testsuite/27_io/basic_istream/extractors_character/wchar_t/overflow.cc b/libstdc++-v3/testsuite/27_io/basic_istream/extractors_character/wchar_t/overflow.cc new file mode 100644 index 00000000000..6a23f1305a3 --- /dev/null +++ b/libstdc++-v3/testsuite/27_io/basic_istream/extractors_character/wchar_t/overflow.cc @@ -0,0 +1,57 @@ +// Copyright (C) 2020 Free Software Foundation, Inc. +// +// This file is part of the GNU ISO C++ Library. This library is free +// software; you can redistribute it and/or modify it under the +// terms of the GNU General Public License as published by the +// Free Software Foundation; either version 3, or (at your option) +// any later version. + +// This library is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. + +// You should have received a copy of the GNU General Public License along +// with this library; see the file COPYING3. If not see +// . + +// { dg-options "-O2" } +// { dg-do run } + +// This test checks that operator>> will avoid a buffer overflow when +// reading into a buffer with a size that is known at compile time. + +// Since C++20 this is guaranteed (see LWG 2499), for previous standards +// checking the buffer size is an extension and depends on optimisation. + +#include +#include + +void +test01() +{ + std::wistringstream in(L"foolishly"); + wchar_t pc[5]; + in >> pc; + VERIFY( in.good() ); + VERIFY( std::wstring(pc) == L"fool" ); + +#if __cplusplus <= 201703L + wchar_t* p = pc + 1; + in >> p; + VERIFY( in.good() ); + VERIFY( std::wstring(pc) == L"fish" ); + + p = pc + 4; + *p = L'#'; + in >> p; + VERIFY( in.fail() ); // if no characters are extracted, failbit is set + VERIFY( *p == L'\0' ); +#endif +} + +int +main() +{ + test01(); +}