From: Jonathan Wakely <jwakely@redhat.com>
To: libstdc++@gcc.gnu.org, gcc-patches@gcc.gnu.org
Subject: [committed] libstdc++: Fix past-the-end increment in std::format [PR110862]
Date: Mon, 7 Aug 2023 22:12:11 +0100 [thread overview]
Message-ID: <20230807211234.701538-1-jwakely@redhat.com> (raw)
Tested x86_64-linux. Pushed to trunk. gcc-13 backport to follow.
-- >8 --
At the end of a replacement field we should check that the closing brace
is actually present before incrementing past it.
libstdc++-v3/ChangeLog:
PR libstdc++/110862
* include/std/format (_Scanner::_M_on_replacement_field):
Check for expected '}' before incrementing iterator.
* testsuite/std/format/string.cc: Check "{0:{0}" format string.
---
libstdc++-v3/include/std/format | 4 +++-
libstdc++-v3/testsuite/std/format/string.cc | 13 +++++++++++++
2 files changed, 16 insertions(+), 1 deletion(-)
diff --git a/libstdc++-v3/include/std/format b/libstdc++-v3/include/std/format
index 1e0ef612ddd..0debbae5ba8 100644
--- a/libstdc++-v3/include/std/format
+++ b/libstdc++-v3/include/std/format
@@ -3534,7 +3534,9 @@ namespace __format
_M_pc.advance_to(__ptr);
}
_M_format_arg(__id);
- _M_pc.advance_to(_M_pc.begin() + 1); // Move past '}'
+ if (begin() == end() || *begin() != '}')
+ __format::__unmatched_left_brace_in_format_string();
+ _M_pc.advance_to(begin() + 1); // Move past '}'
}
constexpr virtual void _M_format_arg(size_t __id) = 0;
diff --git a/libstdc++-v3/testsuite/std/format/string.cc b/libstdc++-v3/testsuite/std/format/string.cc
index d28135ec260..6a45237b8c4 100644
--- a/libstdc++-v3/testsuite/std/format/string.cc
+++ b/libstdc++-v3/testsuite/std/format/string.cc
@@ -128,6 +128,19 @@ test_format_spec()
VERIFY( ! is_format_string_for("{:9999999}", 1) );
}
+void
+test_pr110862()
+{
+ try {
+ // PR libstdc++/110862 out-of-bounds read on invalid format string
+ (void) std::vformat("{0:{0}", std::make_format_args(1));
+ VERIFY( false );
+ } catch (const std::format_error& e) {
+ std::string_view what = e.what();
+ VERIFY( what.find("unmatched left brace") != what.npos );
+ }
+}
+
int main()
{
test_no_args();
--
2.41.0
reply other threads:[~2023-08-07 21:12 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230807211234.701538-1-jwakely@redhat.com \
--to=jwakely@redhat.com \
--cc=gcc-patches@gcc.gnu.org \
--cc=libstdc++@gcc.gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).