public inbox for libstdc++-cvs@sourceware.org help / color / mirror / Atom feed
From: Jonathan Wakely <redi@gcc.gnu.org> To: gcc-cvs@gcc.gnu.org, libstdc++-cvs@gcc.gnu.org Subject: [gcc r14-3136] libstdc++: Fix out-of-bounds read in format string "{:{}." [PR110974] Date: Thu, 10 Aug 2023 22:40:03 +0000 (GMT) [thread overview] Message-ID: <20230810224003.00A053858D32@sourceware.org> (raw) https://gcc.gnu.org/g:ecfd8c7ffecf9e8f851c996ec149fbda7ef202f5 commit r14-3136-gecfd8c7ffecf9e8f851c996ec149fbda7ef202f5 Author: Jonathan Wakely <jwakely@redhat.com> Date: Thu Aug 10 23:15:29 2023 +0100 libstdc++: Fix out-of-bounds read in format string "{:{}." [PR110974] libstdc++-v3/ChangeLog: PR libstdc++/110974 * include/std/format (_Spec::_S_parse_width_or_precision): Check for empty range before dereferencing iterator. * testsuite/std/format/string.cc: Check for expected exception. Fix expected exception message in test_pr110862() and actually call it. Diff: --- libstdc++-v3/include/std/format | 7 ++++--- libstdc++-v3/testsuite/std/format/string.cc | 21 ++++++++++++++++++++- 2 files changed, 24 insertions(+), 4 deletions(-) diff --git a/libstdc++-v3/include/std/format b/libstdc++-v3/include/std/format index 5d7af53fc947..2fe430f75f69 100644 --- a/libstdc++-v3/include/std/format +++ b/libstdc++-v3/include/std/format @@ -520,10 +520,11 @@ namespace __format if (__first[0] != '.') return __first; - ++__first; + iterator __next = ++__first; bool __arg_id = false; - auto __next = _S_parse_width_or_precision(__first, __last, _M_prec, - __arg_id, __pc); + if (__next != __last) + __next = _S_parse_width_or_precision(__first, __last, _M_prec, + __arg_id, __pc); if (__next == __first) __throw_format_error("format error: missing precision after '.' in " "format string"); diff --git a/libstdc++-v3/testsuite/std/format/string.cc b/libstdc++-v3/testsuite/std/format/string.cc index 6a45237b8c4d..fef55b9bcd9e 100644 --- a/libstdc++-v3/testsuite/std/format/string.cc +++ b/libstdc++-v3/testsuite/std/format/string.cc @@ -137,7 +137,24 @@ test_pr110862() VERIFY( false ); } catch (const std::format_error& e) { std::string_view what = e.what(); - VERIFY( what.find("unmatched left brace") != what.npos ); + VERIFY( what.find("unmatched '{'") != what.npos ); + } +} + +void +test_pr110974() +{ + try { + // PR libstdc++/110974 out of bounds read on invalid format string "{:{}." + std::string_view fmt{"{:{}.0", 5}; // "0" is not part of the format string. + (void) std::vformat(fmt, std::make_format_args(1.0, 1)); + VERIFY( false ); + } catch (const std::format_error& e) { + std::string_view what = e.what(); + // GCC 13.2 throws "invalid width or precision in format-spec" after + // trying to parse the "0" past-the-end of the format string. + // There should be an exception before even trying that: + VERIFY( what.find("missing precision after '.'") != what.npos ); } } @@ -146,4 +163,6 @@ int main() test_no_args(); test_indexing(); test_format_spec(); + test_pr110862(); + test_pr110974(); }
reply other threads:[~2023-08-10 22:40 UTC|newest] Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20230810224003.00A053858D32@sourceware.org \ --to=redi@gcc.gnu.org \ --cc=gcc-cvs@gcc.gnu.org \ --cc=libstdc++-cvs@gcc.gnu.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).