[libcxx-commits] [PATCH] D146294: [libcxx] Fix crash in std::stringstream with payload >= INT_MAX

Fri Mar 17 06:18:29 PDT 2023

azat created this revision.
Herald added a subscriber: mikhail.ramalho.
Herald added a project: All.
azat requested review of this revision.
Herald added a project: libc++.
Herald added a subscriber: libcxx-commits.
Herald added a reviewer: libc++.

stringstream does works for payload > INT_MAX, however
stringstream::gcount() can break the internal field (__nout_) and this
breaks the stringstream itself, and so the program will crash.

Fix this, by using __pbump(streamsize) over pbump(int)

Note, libstdc++ does not have this bug.


Repository:
  rG LLVM Github Monorepo

https://reviews.llvm.org/D146294

Files:
  libcxx/include/sstream
  libcxx/test/std/input.output/string.streams/stringstream.members/gcount.pass.cpp


Index: libcxx/test/std/input.output/string.streams/stringstream.members/gcount.pass.cpp
===================================================================

--- /dev/null
+++ libcxx/test/std/input.output/string.streams/stringstream.members/gcount.pass.cpp
@@ -0,0 +1,36 @@
+//===----------------------------------------------------------------------===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+
+// <sstream>
+
+// Test that tellp() does not breaks the stringstream after INT_MAX, due to use
+// of pbump() that accept int.
+
+#include <string>
+#include <sstream>
+#include <cassert>
+
+#include "test_macros.h"
+
+int main(int, char**) {
+  std::stringstream ss;
+  std::string payload(1 << 20, 'A');
+
+  for (size_t i = 0; i < (2ULL << 30) - payload.size(); i += payload.size()) {
+    assert(ss.tellp() != -1);
+    ss.write(payload.data(), payload.size());
+  }
+
+  assert(ss.tellp() != -1);
+  ss.write(payload.data(), payload.size());
+
+  assert(ss.tellp() != -1);
+  ss.write(payload.data(), payload.size());
+
+  return 0;
+}
Index: libcxx/include/sstream
===================================================================
--- libcxx/include/sstream
+++ libcxx/include/sstream
@@ -479,13 +479,7 @@
                    const_cast<char_type*>(__str_.data()) + __str_.size());
         if (__mode_ & (ios_base::app | ios_base::ate))
         {
-            while (__sz > INT_MAX)
-            {
-                this->pbump(INT_MAX);
-                __sz -= INT_MAX;
-            }
-            if (__sz > 0)
-                this->pbump(__sz);
+            this->__pbump(__sz);
         }
     }
 }
@@ -619,7 +613,7 @@
     if (__wch & ios_base::out)
     {
         this->setp(this->pbase(), this->epptr());
-        this->pbump(__noff);
+        this->__pbump(__noff);
     }
     return pos_type(__noff);
 }


-------------- next part --------------
A non-text attachment was scrubbed...
Name: D146294.506060.patch
Type: text/x-patch
Size: 2078 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/libcxx-commits/attachments/20230317/f02d20f9/attachment.bin>
