public inbox for libstdc++-cvs@sourceware.org
help / color / mirror / Atom feed
From: Jonathan Wakely <redi@gcc.gnu.org>
To: gcc-cvs@gcc.gnu.org, libstdc++-cvs@gcc.gnu.org
Subject: [gcc r14-3136] libstdc++: Fix out-of-bounds read in format string "{:{}." [PR110974]
Date: Thu, 10 Aug 2023 22:40:03 +0000 (GMT) [thread overview]
Message-ID: <20230810224003.00A053858D32@sourceware.org> (raw)
https://gcc.gnu.org/g:ecfd8c7ffecf9e8f851c996ec149fbda7ef202f5
commit r14-3136-gecfd8c7ffecf9e8f851c996ec149fbda7ef202f5
Author: Jonathan Wakely <jwakely@redhat.com>
Date: Thu Aug 10 23:15:29 2023 +0100
libstdc++: Fix out-of-bounds read in format string "{:{}." [PR110974]
libstdc++-v3/ChangeLog:
PR libstdc++/110974
* include/std/format (_Spec::_S_parse_width_or_precision): Check
for empty range before dereferencing iterator.
* testsuite/std/format/string.cc: Check for expected exception.
Fix expected exception message in test_pr110862() and actually
call it.
Diff:
---
libstdc++-v3/include/std/format | 7 ++++---
libstdc++-v3/testsuite/std/format/string.cc | 21 ++++++++++++++++++++-
2 files changed, 24 insertions(+), 4 deletions(-)
diff --git a/libstdc++-v3/include/std/format b/libstdc++-v3/include/std/format
index 5d7af53fc947..2fe430f75f69 100644
--- a/libstdc++-v3/include/std/format
+++ b/libstdc++-v3/include/std/format
@@ -520,10 +520,11 @@ namespace __format
if (__first[0] != '.')
return __first;
- ++__first;
+ iterator __next = ++__first;
bool __arg_id = false;
- auto __next = _S_parse_width_or_precision(__first, __last, _M_prec,
- __arg_id, __pc);
+ if (__next != __last)
+ __next = _S_parse_width_or_precision(__first, __last, _M_prec,
+ __arg_id, __pc);
if (__next == __first)
__throw_format_error("format error: missing precision after '.' in "
"format string");
diff --git a/libstdc++-v3/testsuite/std/format/string.cc b/libstdc++-v3/testsuite/std/format/string.cc
index 6a45237b8c4d..fef55b9bcd9e 100644
--- a/libstdc++-v3/testsuite/std/format/string.cc
+++ b/libstdc++-v3/testsuite/std/format/string.cc
@@ -137,7 +137,24 @@ test_pr110862()
VERIFY( false );
} catch (const std::format_error& e) {
std::string_view what = e.what();
- VERIFY( what.find("unmatched left brace") != what.npos );
+ VERIFY( what.find("unmatched '{'") != what.npos );
+ }
+}
+
+void
+test_pr110974()
+{
+ try {
+ // PR libstdc++/110974 out of bounds read on invalid format string "{:{}."
+ std::string_view fmt{"{:{}.0", 5}; // "0" is not part of the format string.
+ (void) std::vformat(fmt, std::make_format_args(1.0, 1));
+ VERIFY( false );
+ } catch (const std::format_error& e) {
+ std::string_view what = e.what();
+ // GCC 13.2 throws "invalid width or precision in format-spec" after
+ // trying to parse the "0" past-the-end of the format string.
+ // There should be an exception before even trying that:
+ VERIFY( what.find("missing precision after '.'") != what.npos );
}
}
@@ -146,4 +163,6 @@ int main()
test_no_args();
test_indexing();
test_format_spec();
+ test_pr110862();
+ test_pr110974();
}
reply other threads:[~2023-08-10 22:40 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230810224003.00A053858D32@sourceware.org \
--to=redi@gcc.gnu.org \
--cc=gcc-cvs@gcc.gnu.org \
--cc=libstdc++-cvs@gcc.gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).