From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=0gwg=AW=gmail.com=tchaikov@sourceware.org>
Received: from mail-pf1-x42c.google.com (mail-pf1-x42c.google.com [IPv6:2607:f8b0:4864:20::42c])
	by sourceware.org (Postfix) with ESMTPS id 331413858C66
	for <libstdc++@gcc.gnu.org>; Mon,  1 May 2023 07:06:33 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 331413858C66
Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gmail.com
Received: by mail-pf1-x42c.google.com with SMTP id d2e1a72fcca58-63d2ba63dddso1565310b3a.2
        for <libstdc++@gcc.gnu.org>; Mon, 01 May 2023 00:06:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20221208; t=1682924792; x=1685516792;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=zTV7pEB8/uYF9vhAuAAtyk57k3lbOjbi0g8mRg/0GlU=;
        b=NC9uasLpeS4nK64r+eqbvt/4arFcY1X2EscNsK42PuyzeMdL8czCXgDOcqGN16Ca/H
         DKuUFtvuNfDk1kc2S5wD03SnPKf6aPRgbL1GAlrfTr30vg0/Vd+0eb/vTIJ5YSuA66g0
         wlej//4Y1a+37bkFFgOvpJfUgVYw+eeKxtuK0VQnnKcsAa7CZKUDXRs8A+85qaBowOLh
         rm/hasXYCa9ScSQgNmqBdzaEkrQxft1j7WhTxlV+3HrsKbi5Cgva4iFyZxI+4Yqc5Gcj
         S7bqYuU5tVg/2esabOmQFBZNFYZTeOGaLQeDQ6QGHips+QZxhMkN1ihqMe3StwkG12cx
         8naA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20221208; t=1682924792; x=1685516792;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=zTV7pEB8/uYF9vhAuAAtyk57k3lbOjbi0g8mRg/0GlU=;
        b=kXfMrzUcIbB4Y129COP1bkKHMhMinxvKQ38rXsEf6H+WG7/3i+ptsEw2VT95Aie4Hq
         wB8CJIbMxWzlzri+7vMAu/NVFnV5PUpIUm7FWjMi3KYKpXWIA/eprOJqmsu7isUKkdAf
         W/gJy+ERoH2hPdG9HyaUyi8Crpqg7ktS7lH86wbIO53k3imXRCR5YLy7qHFIM4Zur/Kj
         fRVPdkj4lwAnF5z2msmAmm8T5V0eV1gNmoqYiSunGw2hqDdCH107cR0IVVIYQCM8Cvi2
         6EUpukyo4zqRdArCz+lPfYNtBm5bHaFzqSK8oMLSIqylQH83hKpbhqGlme/uYijJGVV7
         EYrA==
X-Gm-Message-State: AC+VfDzODfJF3iOYj5KXSb0Li/pxhxGhOXh7/DK3uzrDUD5683JZcnMM
	geUd3ht4k1Sjg5V+1slc6Rdzj1zP1X72ZA==
X-Google-Smtp-Source: ACHHUZ6NqTXNCx9Oq1s02JBcwshTx9DB4dipcey19kNQ3PHBoQFRNMpKpk7YyoAPFwr9XuGixmZRfA==
X-Received: by 2002:a05:6a00:2e18:b0:62d:8376:3712 with SMTP id fc24-20020a056a002e1800b0062d83763712mr11729008pfb.28.1682924791858;
        Mon, 01 May 2023 00:06:31 -0700 (PDT)
Received: from localhost.localdomain ([101.93.160.94])
        by smtp.gmail.com with ESMTPSA id o21-20020a056a0015d500b0063b87f47062sm15966659pfu.127.2023.05.01.00.06.30
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 01 May 2023 00:06:31 -0700 (PDT)
From: Kefu Chai <tchaikov@gmail.com>
To: libstdc++@gcc.gnu.org
Cc: Kefu Chai <tchaikov@gmail.com>,
	Kefu Chai <kefu.chai@scylladb.com>
Subject: [PATCH v1 1/1] libstdc++: Set _M_string_length before calling _M_dispose()
Date: Mon,  1 May 2023 15:06:22 +0800
Message-Id: <20230501070622.847749-2-tchaikov@gmail.com>
X-Mailer: git-send-email 2.40.1
In-Reply-To: <20230501070622.847749-1-tchaikov@gmail.com>
References: <20230501070622.847749-1-tchaikov@gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-7.8 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,GIT_PATCH_0,RCVD_IN_ABUSEAT,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,TXREP,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org
List-Id: <libstdc++.gcc.gnu.org>

This always sets _M_string_length in the constructor specialized for
range of input_iterator, for the cases like istringstream.

We copy from source range to the local buffer, and then reallocate
to larger one if necessary, when disposing the old buffer. And the
old buffer could be provisioned by the local buffer or an allocated
buffer. _M_is_local() is used to tell if the buffer is the local one
or not. In addition to comparing the buffer address with the local buffer,
this function also performs the sanity check if _M_string_length is
greater than _S_local_capacity, if the check fails
__builtin_unreachable() is called. But we failed to set _M_string_length
in this constructor is specialized for std::input_iterator. So,
if UBSan is enabled when compiling the source, there are chances that
the uninitialized data in _M_string_length is greater than
_S_local_capacity, and the application aborts a runtime error or
exception emitted by the UBSan.

In this change, to avoid the false alarm, _M_string_length is
updated with the length of number of bytes copied to local buffer, so
that _M_is_local() is able to check based on the correct length.

This issue only surfaces when constructing a string with a range of
input_iterator, and the uninitialized _M_string_length is greater than
_S_local_capacity, i.e., 15.

libstdc++-v3/ChangeLog:

        * include/bits/basic_string.tcc (_M_construct): Set
        _M_string_length before calling _M_dispose().

Signed-off-by: Kefu Chai <kefu.chai@scylladb.com>
---
 libstdc++-v3/include/bits/basic_string.tcc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/libstdc++-v3/include/bits/basic_string.tcc b/libstdc++-v3/include/bits/basic_string.tcc
index 99fdbeee5ad..ec2198ee20b 100644
--- a/libstdc++-v3/include/bits/basic_string.tcc
+++ b/libstdc++-v3/include/bits/basic_string.tcc
@@ -177,6 +177,7 @@ _GLIBCXX_BEGIN_NAMESPACE_VERSION
 	    __p[__len++] = *__beg;
 	    ++__beg;
 	  }
+	_M_length(__len);
 
 	struct _Guard
 	{
-- 
2.40.1