From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 2181) id 00A053858D32; Thu, 10 Aug 2023 22:40:02 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 00A053858D32 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gcc.gnu.org; s=default; t=1691707203; bh=cJhip0BY/Y60yGf00P9jf5sEId9hkloJ6J4/Ft6JgfY=; h=From:To:Subject:Date:From; b=cSJIWGq+pWD+NbNrv8YbmyUAQFTk+ZeeQZqQddfzSYqHd3Q6Qs0JuOJNFYlZn7hcH lvvQD/Ppl7gQV5FeOb+l+8KCc4Qm3b5yoyrx1+O4g1F2ozYvPRKCWNogEHdUl0ebxu XMDf2J5EOrCr7ZsrH7sOdeZBODJ3WPh1NUwRmQQQ= MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="utf-8" From: Jonathan Wakely To: gcc-cvs@gcc.gnu.org, libstdc++-cvs@gcc.gnu.org Subject: [gcc r14-3136] libstdc++: Fix out-of-bounds read in format string "{:{}." [PR110974] X-Act-Checkin: gcc X-Git-Author: Jonathan Wakely X-Git-Refname: refs/heads/master X-Git-Oldrev: f48a5423964f72e2e1ba0ad6a14d9d1464a78bed X-Git-Newrev: ecfd8c7ffecf9e8f851c996ec149fbda7ef202f5 Message-Id: <20230810224003.00A053858D32@sourceware.org> Date: Thu, 10 Aug 2023 22:40:03 +0000 (GMT) List-Id: https://gcc.gnu.org/g:ecfd8c7ffecf9e8f851c996ec149fbda7ef202f5 commit r14-3136-gecfd8c7ffecf9e8f851c996ec149fbda7ef202f5 Author: Jonathan Wakely Date: Thu Aug 10 23:15:29 2023 +0100 libstdc++: Fix out-of-bounds read in format string "{:{}." [PR110974] libstdc++-v3/ChangeLog: PR libstdc++/110974 * include/std/format (_Spec::_S_parse_width_or_precision): Check for empty range before dereferencing iterator. * testsuite/std/format/string.cc: Check for expected exception. Fix expected exception message in test_pr110862() and actually call it. Diff: --- libstdc++-v3/include/std/format | 7 ++++--- libstdc++-v3/testsuite/std/format/string.cc | 21 ++++++++++++++++++++- 2 files changed, 24 insertions(+), 4 deletions(-) diff --git a/libstdc++-v3/include/std/format b/libstdc++-v3/include/std/format index 5d7af53fc947..2fe430f75f69 100644 --- a/libstdc++-v3/include/std/format +++ b/libstdc++-v3/include/std/format @@ -520,10 +520,11 @@ namespace __format if (__first[0] != '.') return __first; - ++__first; + iterator __next = ++__first; bool __arg_id = false; - auto __next = _S_parse_width_or_precision(__first, __last, _M_prec, - __arg_id, __pc); + if (__next != __last) + __next = _S_parse_width_or_precision(__first, __last, _M_prec, + __arg_id, __pc); if (__next == __first) __throw_format_error("format error: missing precision after '.' in " "format string"); diff --git a/libstdc++-v3/testsuite/std/format/string.cc b/libstdc++-v3/testsuite/std/format/string.cc index 6a45237b8c4d..fef55b9bcd9e 100644 --- a/libstdc++-v3/testsuite/std/format/string.cc +++ b/libstdc++-v3/testsuite/std/format/string.cc @@ -137,7 +137,24 @@ test_pr110862() VERIFY( false ); } catch (const std::format_error& e) { std::string_view what = e.what(); - VERIFY( what.find("unmatched left brace") != what.npos ); + VERIFY( what.find("unmatched '{'") != what.npos ); + } +} + +void +test_pr110974() +{ + try { + // PR libstdc++/110974 out of bounds read on invalid format string "{:{}." + std::string_view fmt{"{:{}.0", 5}; // "0" is not part of the format string. + (void) std::vformat(fmt, std::make_format_args(1.0, 1)); + VERIFY( false ); + } catch (const std::format_error& e) { + std::string_view what = e.what(); + // GCC 13.2 throws "invalid width or precision in format-spec" after + // trying to parse the "0" past-the-end of the format string. + // There should be an exception before even trying that: + VERIFY( what.find("missing precision after '.'") != what.npos ); } } @@ -146,4 +163,6 @@ int main() test_no_args(); test_indexing(); test_format_spec(); + test_pr110862(); + test_pr110974(); }