libstdc++: fix illegal pointer arithmetic in format [PR111102]

When parsing a format string, the width is parsed into an unsigned short
but the result is not checked in the case the format string is not a
char string (such as a wide string). In case the parse fails, a null
pointer is returned which is used for pointer arithmetic which is
undefined behaviour.

Signed-off-by: Paul Dreik <gccpatches@pauldreik.se>
libstdc++-v3/ChangeLog:

	PR libstdc++/111102
	* include/std/format (__format::__parse_integer): Check for
	non-null pointer.

(cherry picked from commit dd4bdb9eea436bf06f175d8dbfc2190377455be4)

diff --git a/libstdc++-v3/include/std/format b/libstdc++-v3/include/std/format
index ec910f13a8ec8061ee0c753a35033cc574914b34..3721f021afdac4c57d60ae2e40bc34a2ad5e565a 100644 (file)
--- a/libstdc++-v3/include/std/format
+++ b/libstdc++-v3/include/std/format
@@ -285,7 +285,8 @@ namespace __format
          for (int __i = 0; __i < __n && (__first + __i) != __last; ++__i)
            __buf[__i] = __first[__i];
          auto [__v, __ptr] = __format::__parse_integer(__buf, __buf + __n);
-         return {__v, __first + (__ptr - __buf)};
+         if (__ptr) [[likely]]
+           return {__v, __first + (__ptr - __buf)};
        }
       return {0, nullptr};
     }