[PATCH] D20334: [libcxx] Fix a bug in strstreambuf::overflow

Duncan P. N. Exon Smith via cfe-commits cfe-commits at lists.llvm.org
Tue Jun 28 17:57:05 PDT 2016


(Ignore me, I was looking at an old version.)

> On 2016-Jun-28, at 17:56, Duncan P. N. Exon Smith via cfe-commits <cfe-commits at lists.llvm.org> wrote:
> 
> The fix looks fairly obvious, but you haven't added a testcase.  Would you please do so?
> 
>> On 2016-May-17, at 12:20, Akira Hatanaka via cfe-commits <cfe-commits at lists.llvm.org> wrote:
>> 
>> ahatanak created this revision.
>> ahatanak added reviewers: mclow.lists, EricWF, howard.hinnant.
>> ahatanak added a subscriber: cfe-commits.
>> 
>> The end pointer should point to one past the end of the newly allocated buffer.
>> 
>> Without this fix, asan reports an error when the following code is compiled and executed:
>> 
>> $ cat test.cpp
>> 
>> ```
>> std::string stringOfLength(const size_t length) {
>> std::string s("");
>> 
>> std::string characters("abcdefghijklmnopqrstuvwxyz0123456789+-*/");
>> for (size_t i = 0; i < length; ++i) {
>>   s += characters[i % characters.size()];
>> }
>> 
>> return s;
>> }
>> 
>> int main(int, char const **argv) {
>> std::ostrstream oss;
>> 
>> oss << stringOfLength(atoi(argv[1])) << std::ends;
>> std::cout << oss.str();
>> oss.freeze(false);
>> 
>> return 0;
>> }```
>> 
>> $ clang++  -fsanitize=address test.cpp && ./a.out 4096
>> ==18970==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62100001dd00 at pc 0x00010277c45d bp 0x7fff5d4ce6e0 sp 0x7fff5d4cdea0
>> READ of size 4097 at 0x62100001dd00 thread T0
>>   #0 0x10277c45c in wrap_strlen (libclang_rt.asan_osx_dynamic.dylib+0x4345c)
>>   #1 0x102733954 in std::__1::char_traits<char>::length(char const*) (a.out+0x100002954)
>>   #2 0x10273390b in std::__1::basic_ostream<char, std::__1::char_traits<char> >& std::__1::operator<<<std::__1::char_traits<char> >(std::__1::basic_ostream<char, std::__1::char_traits<char> >&, char const*) (a.out+0x10000290b)
>>   #3 0x102733346 in main (a.out+0x100002346)
>>   #4 0x7fff901905ac in start (libdyld.dylib+0x35ac)
>>   #5 0x1  (<unknown module>)
>> 
>> 0x62100001dd00 is located 0 bytes to the right of 4096-byte region [0x62100001cd00,0x62100001dd00)
>> allocated by thread T0 here:
>>   #0 0x10278d42b in wrap__Znam (libclang_rt.asan_osx_dynamic.dylib+0x5442b)
>>   #1 0x7fff9bdc9fa1 in std::__1::strstreambuf::overflow(int) (libc++.1.dylib+0x44fa1)
>>   #2 0x7fff9bd901cc in std::__1::basic_streambuf<char, std::__1::char_traits<char> >::xsputn(char const*, long) (libc++.1.dylib+0xb1cc)
>>   #3 0x10273547c in std::__1::ostreambuf_iterator<char, std::__1::char_traits<char> > std::__1::__pad_and_output<char, std::__1::char_traits<char> >(std::__1::ostreambuf_iterator<char, std::__1::char_traits<char> >, char const*, char const*, char const*, std::__1::ios_base&, char) (a.out+0x10000447c)
>>   #4 0x102734312 in std::__1::basic_ostream<char, std::__1::char_traits<char> >& std::__1::__put_character_sequence<char, std::__1::char_traits<char> >(std::__1::basic_ostream<char, std::__1::char_traits<char> >&, char const*, unsigned long) (a.out+0x100003312)
>>   #5 0x10273389d in std::__1::basic_ostream<char, std::__1::char_traits<char> >& std::__1::operator<<<char, std::__1::char_traits<char>, std::__1::allocator<char> >(std::__1::basic_ostream<char, std::__1::char_traits<char> >&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) (a.out+0x10000289d)
>>   #6 0x1027332c4 in main (a.out+0x1000022c4)
>>   #7 0x7fff901905ac in start (libdyld.dylib+0x35ac)
>>   #8 0x1  (<unknown module>)
>> 
>> http://reviews.llvm.org/D20334
>> 
>> Files:
>> src/strstream.cpp
>> 
>> Index: src/strstream.cpp
>> ===================================================================
>> --- src/strstream.cpp
>> +++ src/strstream.cpp
>> @@ -180,7 +180,7 @@
>>                delete [] eback();
>>        }
>>        setg(buf, buf + ninp, buf + einp);
>> -        setp(buf + einp, buf + einp + eout);
>> +        setp(buf + einp, buf + new_size);
>>        pbump(static_cast<int>(nout));
>>        __strmode_ |= __allocated;
>>    }
>> 
>> 
>> <D20334.57507.patch>_______________________________________________
>> cfe-commits mailing list
>> cfe-commits at lists.llvm.org
>> http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
> 
> _______________________________________________
> cfe-commits mailing list
> cfe-commits at lists.llvm.org
> http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits



More information about the cfe-commits mailing list