libstdc++: Fix out-of-bounds read in format string "{:{}." [PR110974]

author Jonathan Wakely <jwakely@redhat.com>

Thu, 10 Aug 2023 22:15:29 +0000 (23:15 +0100)

committer Jonathan Wakely <jwakely@redhat.com>

Thu, 10 Aug 2023 22:31:37 +0000 (23:31 +0100)
author Jonathan Wakely <jwakely@redhat.com>
Thu, 10 Aug 2023 22:15:29 +0000 (23:15 +0100)
committer Jonathan Wakely <jwakely@redhat.com>
Thu, 10 Aug 2023 22:31:37 +0000 (23:31 +0100)
diff --git a/libstdc++-v3/include/std/format b/libstdc++-v3/include/std/format

index 5d7af53fc947dfc69a4ea61ad0b9a841b1f72665..2fe430f75f69bf9419489357c28b523615214a9a 100644 (file)
--- a/libstdc++-v3/include/std/format
+++ b/libstdc++-v3/include/std/format
@@ -520,10 +520,11 @@ namespace __format
         if (__first[0] != '.')
           return __first;
  
-       ++__first;
+       iterator __next = ++__first;
         bool __arg_id = false;
-       auto __next = _S_parse_width_or_precision(__first, __last, _M_prec,
-                                                 __arg_id, __pc);
+       if (__next != __last)
+         __next = _S_parse_width_or_precision(__first, __last, _M_prec,
+                                              __arg_id, __pc);
         if (__next == __first)
           __throw_format_error("format error: missing precision after '.' in "
                                "format string");
diff --git a/libstdc++-v3/testsuite/std/format/string.cc b/libstdc++-v3/testsuite/std/format/string.cc

index 6a45237b8c4d5723465d53cac55842663a2fb005..fef55b9bcd9e0bfe8f961b36ec09437264e005a4 100644 (file)
--- a/libstdc++-v3/testsuite/std/format/string.cc
+++ b/libstdc++-v3/testsuite/std/format/string.cc
@@ -137,7 +137,24 @@ test_pr110862()
      VERIFY( false );
    } catch (const std::format_error& e) {
      std::string_view what = e.what();
-    VERIFY( what.find("unmatched left brace") != what.npos );
+    VERIFY( what.find("unmatched '{'") != what.npos );
+  }
+}
+
+void
+test_pr110974()
+{
+  try {
+    // PR libstdc++/110974 out of bounds read on invalid format string "{:{}."
+    std::string_view fmt{"{:{}.0", 5}; // "0" is not part of the format string.
+    (void) std::vformat(fmt, std::make_format_args(1.0, 1));
+    VERIFY( false );
+  } catch (const std::format_error& e) {
+    std::string_view what = e.what();
+    // GCC 13.2 throws "invalid width or precision in format-spec" after
+    // trying to parse the "0" past-the-end of the format string.
+    // There should be an exception before even trying that:
+    VERIFY( what.find("missing precision after '.'") != what.npos );
    }
  }
  
@@ -146,4 +163,6 @@ int main()
    test_no_args();
    test_indexing();
    test_format_spec();
+  test_pr110862();
+  test_pr110974();
  }
author	Jonathan Wakely <jwakely@redhat.com>
	Thu, 10 Aug 2023 22:15:29 +0000 (23:15 +0100)
committer	Jonathan Wakely <jwakely@redhat.com>
	Thu, 10 Aug 2023 22:31:37 +0000 (23:31 +0100)
libstdc++-v3/include/std/format		patch \| blob \| blame \| history
libstdc++-v3/testsuite/std/format/string.cc		patch \| blob \| blame \| history