diff options
| author | Jonathan Wakely <jwakely@redhat.com> | 2023-08-10 23:15:29 +0100 |
|---|---|---|
| committer | Jonathan Wakely <jwakely@redhat.com> | 2023-08-10 23:31:37 +0100 |
| commit | ecfd8c7ffecf9e8f851c996ec149fbda7ef202f5 (patch) | |
| tree | 4347f48117f1b3f0c4e21824e2200a44a7b9405a | |
| parent | f48a5423964f72e2e1ba0ad6a14d9d1464a78bed (diff) | |
| download | gcc-ecfd8c7ffecf9e8f851c996ec149fbda7ef202f5.zip gcc-ecfd8c7ffecf9e8f851c996ec149fbda7ef202f5.tar.gz gcc-ecfd8c7ffecf9e8f851c996ec149fbda7ef202f5.tar.bz2 | |
libstdc++: Fix out-of-bounds read in format string "{:{}." [PR110974]
libstdc++-v3/ChangeLog:
PR libstdc++/110974
* include/std/format (_Spec::_S_parse_width_or_precision): Check
for empty range before dereferencing iterator.
* testsuite/std/format/string.cc: Check for expected exception.
Fix expected exception message in test_pr110862() and actually
call it.
| -rw-r--r-- | libstdc++-v3/include/std/format | 7 | ||||
| -rw-r--r-- | libstdc++-v3/testsuite/std/format/string.cc | 21 |
2 files changed, 24 insertions, 4 deletions
diff --git a/libstdc++-v3/include/std/format b/libstdc++-v3/include/std/format index 5d7af53..2fe430f 100644 --- a/libstdc++-v3/include/std/format +++ b/libstdc++-v3/include/std/format @@ -520,10 +520,11 @@ namespace __format if (__first[0] != '.') return __first; - ++__first; + iterator __next = ++__first; bool __arg_id = false; - auto __next = _S_parse_width_or_precision(__first, __last, _M_prec, - __arg_id, __pc); + if (__next != __last) + __next = _S_parse_width_or_precision(__first, __last, _M_prec, + __arg_id, __pc); if (__next == __first) __throw_format_error("format error: missing precision after '.' in " "format string"); diff --git a/libstdc++-v3/testsuite/std/format/string.cc b/libstdc++-v3/testsuite/std/format/string.cc index 6a45237..fef55b9 100644 --- a/libstdc++-v3/testsuite/std/format/string.cc +++ b/libstdc++-v3/testsuite/std/format/string.cc @@ -137,7 +137,24 @@ test_pr110862() VERIFY( false ); } catch (const std::format_error& e) { std::string_view what = e.what(); - VERIFY( what.find("unmatched left brace") != what.npos ); + VERIFY( what.find("unmatched '{'") != what.npos ); + } +} + +void +test_pr110974() +{ + try { + // PR libstdc++/110974 out of bounds read on invalid format string "{:{}." + std::string_view fmt{"{:{}.0", 5}; // "0" is not part of the format string. + (void) std::vformat(fmt, std::make_format_args(1.0, 1)); + VERIFY( false ); + } catch (const std::format_error& e) { + std::string_view what = e.what(); + // GCC 13.2 throws "invalid width or precision in format-spec" after + // trying to parse the "0" past-the-end of the format string. + // There should be an exception before even trying that: + VERIFY( what.find("missing precision after '.'") != what.npos ); } } @@ -146,4 +163,6 @@ int main() test_no_args(); test_indexing(); test_format_spec(); + test_pr110862(); + test_pr110974(); } |