[PATCH] D20334: [libcxx] Fix a bug in strstreambuf::overflow
Akira Hatanaka via cfe-commits
cfe-commits at lists.llvm.org
Tue May 24 10:49:50 PDT 2016
ping.
> On May 17, 2016, at 12:20 PM, Akira Hatanaka via cfe-commits <cfe-commits at lists.llvm.org> wrote:
>
> ahatanak created this revision.
> ahatanak added reviewers: mclow.lists, EricWF, howard.hinnant.
> ahatanak added a subscriber: cfe-commits.
>
> The end pointer should point to one past the end of the newly allocated buffer.
>
> Without this fix, asan reports an error when the following code is compiled and executed:
>
> $ cat test.cpp
>
> ```
> std::string stringOfLength(const size_t length) {
> std::string s("");
>
> std::string characters("abcdefghijklmnopqrstuvwxyz0123456789+-*/");
> for (size_t i = 0; i < length; ++i) {
> s += characters[i % characters.size()];
> }
>
> return s;
> }
>
> int main(int, char const **argv) {
> std::ostrstream oss;
>
> oss << stringOfLength(atoi(argv[1])) << std::ends;
> std::cout << oss.str();
> oss.freeze(false);
>
> return 0;
> }```
>
> $ clang++ -fsanitize=address test.cpp && ./a.out 4096
> ==18970==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62100001dd00 at pc 0x00010277c45d bp 0x7fff5d4ce6e0 sp 0x7fff5d4cdea0
> READ of size 4097 at 0x62100001dd00 thread T0
> #0 0x10277c45c in wrap_strlen (libclang_rt.asan_osx_dynamic.dylib+0x4345c)
> #1 0x102733954 in std::__1::char_traits<char>::length(char const*) (a.out+0x100002954)
> #2 0x10273390b in std::__1::basic_ostream<char, std::__1::char_traits<char> >& std::__1::operator<<<std::__1::char_traits<char> >(std::__1::basic_ostream<char, std::__1::char_traits<char> >&, char const*) (a.out+0x10000290b)
> #3 0x102733346 in main (a.out+0x100002346)
> #4 0x7fff901905ac in start (libdyld.dylib+0x35ac)
> #5 0x1 (<unknown module>)
>
> 0x62100001dd00 is located 0 bytes to the right of 4096-byte region [0x62100001cd00,0x62100001dd00)
> allocated by thread T0 here:
> #0 0x10278d42b in wrap__Znam (libclang_rt.asan_osx_dynamic.dylib+0x5442b)
> #1 0x7fff9bdc9fa1 in std::__1::strstreambuf::overflow(int) (libc++.1.dylib+0x44fa1)
> #2 0x7fff9bd901cc in std::__1::basic_streambuf<char, std::__1::char_traits<char> >::xsputn(char const*, long) (libc++.1.dylib+0xb1cc)
> #3 0x10273547c in std::__1::ostreambuf_iterator<char, std::__1::char_traits<char> > std::__1::__pad_and_output<char, std::__1::char_traits<char> >(std::__1::ostreambuf_iterator<char, std::__1::char_traits<char> >, char const*, char const*, char const*, std::__1::ios_base&, char) (a.out+0x10000447c)
> #4 0x102734312 in std::__1::basic_ostream<char, std::__1::char_traits<char> >& std::__1::__put_character_sequence<char, std::__1::char_traits<char> >(std::__1::basic_ostream<char, std::__1::char_traits<char> >&, char const*, unsigned long) (a.out+0x100003312)
> #5 0x10273389d in std::__1::basic_ostream<char, std::__1::char_traits<char> >& std::__1::operator<<<char, std::__1::char_traits<char>, std::__1::allocator<char> >(std::__1::basic_ostream<char, std::__1::char_traits<char> >&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) (a.out+0x10000289d)
> #6 0x1027332c4 in main (a.out+0x1000022c4)
> #7 0x7fff901905ac in start (libdyld.dylib+0x35ac)
> #8 0x1 (<unknown module>)
>
> http://reviews.llvm.org/D20334
>
> Files:
> src/strstream.cpp
>
> Index: src/strstream.cpp
> ===================================================================
> --- src/strstream.cpp
> +++ src/strstream.cpp
> @@ -180,7 +180,7 @@
> delete [] eback();
> }
> setg(buf, buf + ninp, buf + einp);
> - setp(buf + einp, buf + einp + eout);
> + setp(buf + einp, buf + new_size);
> pbump(static_cast<int>(nout));
> __strmode_ |= __allocated;
> }
>
>
> <D20334.57507.patch>_______________________________________________
> cfe-commits mailing list
> cfe-commits at lists.llvm.org
> http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
More information about the cfe-commits
mailing list