[llvm-bugs] [Bug 33725] New: std::basic_stringbuf can't handle put areas > 2GB

Mon Jul 10 04:24:39 PDT 2017

https://bugs.llvm.org/show_bug.cgi?id=33725

            Bug ID: 33725
           Summary: std::basic_stringbuf can't handle put areas > 2GB
           Product: libc++
           Version: 4.0
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P
         Component: All Bugs
          Assignee: unassignedclangbugs at nondot.org
          Reporter: zilla at kayari.org
                CC: llvm-bugs at lists.llvm.org, mclow.lists at gmail.com

This crashes on x86_64:

#include <sstream>

int main()
{
    std::string str(2147483648, 'a');
    std::stringbuf sb(str, std::ios::ate|std::ios::out);
    sb.sputc('a');
}

The problem is that the xnext pointer for the put area is below the xbeg
pointer, so the sputc write happens outside the std::string member.

#include <sstream>
#include <cassert>

struct SB : std::stringbuf
{
  SB() : std::stringbuf(std::ios::ate|std::ios::out) { }
  const char* pubpbase() const { return pbase(); }
  const char* pubpptr() const { return pptr(); }
};

int main()
{
    std::string str(2147483648, 'a');
    SB sb;
    sb.str(str);
    assert(sb.pubpbase() <= sb.pubpptr());
}

a.out: ss.cc:16: int main(): Assertion `sb.pubpbase() <= sb.pubpptr()' failed.

The problem is that a 64-bit value is passed to basic_streambuf::pbump(int)
which overflows, producing a large negative value that gets added to the pbase
pointer. You need to call pbump in a loop when the argument is greater than
MAX_INT.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20170710/ee6f1635/attachment.html>