[PATCH] D20334: [libcxx] Fix a bug in strstreambuf::overflow

Akira Hatanaka via cfe-commits cfe-commits at lists.llvm.org
Thu May 26 18:42:04 PDT 2016


ahatanak marked an inline comment as done.
ahatanak added a comment.

I spent some time debugging the code and here is what I found.

The initial buffer size is 0 when strstreambuf is constructed and all six pointers are null initially. When the first character is pushed, strstreambuf::overflow allocates 4096B (which is the value of __default_alsize) and initializes the six pointers to the address of "buf". Then it bumps the current put character pointer (pptr). The other five pointers don't change. strstreambuf::overflow gets called 4095 more times and pptr is incremented every time. No new memory blocks are allocated while this happens because pptr() != epptr() after the first character is pushed.

It seems that std::ends does get written to the right location (meaning buf+4096). I'm thinking ASAN doesn't catch this as an out-of-bound write because I'm using libc++ that is not instrumented. It catches the out-of-bound read because the call to strlen is intercepted (wrap_strlen) is called.


http://reviews.llvm.org/D20334





More information about the cfe-commits mailing list