<table border="1" cellspacing="0" cellpadding="8">
    <tr>
        <th>Issue</th>
        <td>
            <a href=https://github.com/llvm/llvm-project/issues/143684>143684</a>
        </td>
    </tr>

    <tr>
        <th>Summary</th>
        <td>
            [libc++] Out-of-bounds read in `std::bitset` constructor from `char*`
        </td>
    </tr>

    <tr>
      <th>Labels</th>
      <td>
            libc++
      </td>
    </tr>

    <tr>
      <th>Assignees</th>
      <td>
      </td>
    </tr>

    <tr>
      <th>Reporter</th>
      <td>
          Eisenwave
      </td>
    </tr>
</table>

<pre>
    https://github.com/llvm/llvm-project/blob/40cc7b4578fd2d65aaef8356fbe7caf2d84a8f3e/libcxx/include/bitset#L645-L658

This constructor is incorrectly implemented, leading to out-of-bounds reads on the given `__str`.

```cpp
std::min(__n, char_traits<_CharT>::length(__str));
```
Will unconditionally call `::length`, even if a size was explicitly specified, and if the string is not null-terminated (it doesn't have to be), `length` goes past the end of `__str`.

The implementation described in [[bitset.cons]](https://eel.is/c++draft/bitset.cons) is:
```cpp
bitset(n == basic_string_view<charT>::npos
          ? basic_string_view<charT>(str)
 : basic_string_view<charT>(str, n),
       0, n, zero, one)
```
This will only try to search for a null terminator if `n == npos`, but libc++ implements no such short-circuiting.
</pre>
<img width="1" height="1" alt="" src="http://email.email.llvm.org/o/eJyUVMuK6zgQ_RplUyTI8iPOwot0crO6MJuGWQY9ynENimQkOd25Xz_I7k66ucMwYwQGUarHOaeOjJEuDrFj9Qurjys5pcGH7gdFdG_yhivlzb0bUhojK_dMnJg4XSgNk9pof2XiZO3t87ceg_8LdWLipKxXTJwqrvVWVfW27Y0wTS0l9m1ZN73CrZa9MG0l277EnICUfn9n4kRO28nkK0UpYmKi_NlU9fpnU7eM7xnfvw4UQXsXU5h08gEoAjntQ0Cd7B3oOlq8oktomDiARWnIXSB58FNa-36t_ORMhIDSRPAO0oBwoRs6YA0_n2MKrOGbpRhr-HL0ODK-j8lkHMr9lRwT7fnscgk9yHBOQVKKrDycD4MMr6z8sURadJc0zME5s9jlU758zc34_k-yFianvTOUyDtp7R20tDb39C1Rw3NJzO1SDxIi_UJ4kxHwfbSkKUMQR9TU0wKAdCZH5iljChkKiuB8AjdZu04YruRkQgNMtJTAeIyOiW2CQd4ww6Zw7vqQW3k0ARePEUYZ05wZnQHf_wOArwM-GZF5NDAYdSCFBsjBLLyXhetNZpXVx3xE-111iHZDkYmTZuKFiRcTZJ8eKlleih3Q_OI33j611Dpg5ZGVR1Aykj4vgJxvhG-sPOhvxLnRR8b38PhYefr3Z6L9YJjvgZX7_xR8ALeg-yzFP24P8AuDz3_vcEn7VTLzHrxl3Xhn75DCPZMVUQY9QO8DyJlh-GQ4b8rM0AODecJFT2pKkHdwAffJWFYKxEkPEAcf0lpT0BMlcpfNynSl2ZU7ucKu2Fa7puKF4Kuh48bwHnErsSg057ytGiX7XppeFVvkekWd4KLmTVEUBW8rvml2237birJsd1wopVnF8SrJbrKvbHy4rCjGCbuiKpu2Wlmp0MbZs4R4ds2EyB4WutmN1HSJrOKWYorPPImSnd3uy7P6CH_85gyzNhv-WPgPBTX8m_X0wV9zWGaViUzPagr2_xvmPF5W98eEt078HQAA__9jHsId">