[libcxx-commits] [libcxx] [libc++] Add missing assertion in std::span constructor (PR #118396)
via libcxx-commits
libcxx-commits at lists.llvm.org
Fri Dec 6 13:59:52 PST 2024
mxms0 wrote:
>My rationale for making it _LIBCPP_ASSERT_VALID_INPUT_RANGE was that creating such a span would then allow you to access the region of memory [0, N) freely without complaint, and that seemed like something potentially dangerous. N can potentially be something large, so in theory you could end up getting a "blessed handle" to dereference an arbitrary address unless I missed something.
That's true, I can see a scenario where the user has some code like:
```
template <typename T>
std::span<T> allocate_elements(int num) {
global_buf_ = malloc(num * sizeof(T));
// num * sizeof(T) is large enough that malloc fails
return std::span(global_buf_, num * sizeof(T));
// we create a span here with (0, large_number);
}
```
Then the attacker would need to be able to index arbitrarily into the span without crashing, which isn't impossible.
We use absl::Span a lot and not std::span, so I don't have a great way currently to measure the overhead of this, but I suppose it's something we can easily re-visit once the time comes. I'll CC some folks here, but feel free to close out if we don't respond within your initial "few days" :)
https://github.com/llvm/llvm-project/pull/118396
More information about the libcxx-commits
mailing list