<html>
    <head>
      <base href="https://bugs.llvm.org/">
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - std::basic_stringbuf can't handle put areas > 2GB"
   href="https://bugs.llvm.org/show_bug.cgi?id=33725">33725</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>std::basic_stringbuf can't handle put areas > 2GB
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>libc++
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>4.0
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>normal
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>P
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>All Bugs
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>unassignedclangbugs@nondot.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>zilla@kayari.org
          </td>
        </tr>

        <tr>
          <th>CC</th>
          <td>llvm-bugs@lists.llvm.org, mclow.lists@gmail.com
          </td>
        </tr></table>
      <p>
        <div>
        <pre>This crashes on x86_64:

#include <sstream>

int main()
{
    std::string str(2147483648, 'a');
    std::stringbuf sb(str, std::ios::ate|std::ios::out);
    sb.sputc('a');
}

The problem is that the xnext pointer for the put area is below the xbeg
pointer, so the sputc write happens outside the std::string member.

#include <sstream>
#include <cassert>

struct SB : std::stringbuf
{
  SB() : std::stringbuf(std::ios::ate|std::ios::out) { }
  const char* pubpbase() const { return pbase(); }
  const char* pubpptr() const { return pptr(); }
};

int main()
{
    std::string str(2147483648, 'a');
    SB sb;
    sb.str(str);
    assert(sb.pubpbase() <= sb.pubpptr());
}

a.out: ss.cc:16: int main(): Assertion `sb.pubpbase() <= sb.pubpptr()' failed.

The problem is that a 64-bit value is passed to basic_streambuf::pbump(int)
which overflows, producing a large negative value that gets added to the pbase
pointer. You need to call pbump in a loop when the argument is greater than
MAX_INT.</pre>
        </div>
      </p>


      <hr>
      <span>You are receiving this mail because:</span>

      <ul>
          <li>You are on the CC list for the bug.</li>
      </ul>
    </body>
</html>