libstdc++: fix illegal pointer arithmetic in format [PR111102]

When parsing a format string, the width is parsed into an unsigned short
but the result is not checked in the case the format string is not a
char string (such as a wide string). In case the parse fails, a null
pointer is returned which is used for pointer arithmetic which is
undefined behaviour.

Signed-off-by: Paul Dreik <gccpatches@pauldreik.se>
libstdc++-v3/ChangeLog:

	PR libstdc++/111102
	* include/std/format (__format::__parse_integer): Check for
	non-null pointer.

diff --git a/libstdc++-v3/include/std/format b/libstdc++-v3/include/std/format
index f3d9ae152f907a23b74230d3731084ad1faa4051..fe2caa5868815f0e70008ba9880e2fabc9e4f90a 100644 (file)
--- a/libstdc++-v3/include/std/format
+++ b/libstdc++-v3/include/std/format
@@ -285,7 +285,8 @@ namespace __format
          for (int __i = 0; __i < __n && (__first + __i) != __last; ++__i)
            __buf[__i] = __first[__i];
          auto [__v, __ptr] = __format::__parse_integer(__buf, __buf + __n);
-         return {__v, __first + (__ptr - __buf)};
+         if (__ptr) [[likely]]
+           return {__v, __first + (__ptr - __buf)};
        }
       return {0, nullptr};
     }