From: Paul Dreik <gccpatches@pauldreik.se>
Date: Thu, 24 Aug 2023 10:43:43 +0000 (+0100)
Subject: libstdc++: fix illegal pointer arithmetic in format [PR111102]
X-Git-Tag: basepoints/gcc-15~6682
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=dd4bdb9eea436bf06f175d8dbfc2190377455be4;p=thirdparty%2Fgcc.git

libstdc++: fix illegal pointer arithmetic in format [PR111102]

When parsing a format string, the width is parsed into an unsigned short
but the result is not checked in the case the format string is not a
char string (such as a wide string). In case the parse fails, a null
pointer is returned which is used for pointer arithmetic which is
undefined behaviour.

Signed-off-by: Paul Dreik <gccpatches@pauldreik.se>

libstdc++-v3/ChangeLog:

	PR libstdc++/111102
	* include/std/format (__format::__parse_integer): Check for
	non-null pointer.
---

diff --git a/libstdc++-v3/include/std/format b/libstdc++-v3/include/std/format
index f3d9ae152f90..fe2caa586881 100644
--- a/libstdc++-v3/include/std/format
+++ b/libstdc++-v3/include/std/format
@@ -285,7 +285,8 @@ namespace __format
 	  for (int __i = 0; __i < __n && (__first + __i) != __last; ++__i)
 	    __buf[__i] = __first[__i];
 	  auto [__v, __ptr] = __format::__parse_integer(__buf, __buf + __n);
-	  return {__v, __first + (__ptr - __buf)};
+	  if (__ptr) [[likely]]
+	    return {__v, __first + (__ptr - __buf)};
 	}
       return {0, nullptr};
     }