[libcxx-commits] [flang] [clang] [compiler-rt] [llvm] [libcxx] [mlir] [libc] [clang-tools-extra] [lld] [libc++][hardening] Categorize assertions that produce incorrect results (PR #77183)

David Benjamin via libcxx-commits libcxx-commits at lists.llvm.org
Tue Jan 23 12:52:07 PST 2024


================
@@ -307,8 +307,11 @@ public:
       : __data_(__s),
         __size_(__len) {
 #if _LIBCPP_STD_VER >= 14
-    _LIBCPP_ASSERT_UNCATEGORIZED(__len <= static_cast<size_type>(numeric_limits<difference_type>::max()),
-                                 "string_view::string_view(_CharT *, size_t): length does not fit in difference_type");
+    // This will result in creating an invalid `string_view` object -- some calculations involving `size` would
----------------
davidben wrote:

I think this one has more serious consequences than the categorization and comment suggest. The size parameter determines the bounds of the string. Every byte from `__s[0]` up to `__s[__len - 1]` is fair game for the program to access. E.g. the bounds checks in `operator[]` assume the length is correct.

It is not possible for a length over `PTRDIFF_MAX` to be the correct bounds for `__s`. No allocation can exceed that amount. Moreover, it's not hard for a program to accidentally construct such a `string_view` by accidentally underflowing a computation and passing a negative number. That negative number will, in turn, be read as `SIZE_MAX`.

See https://github.com/llvm/llvm-project/issues/61100 for context.

https://github.com/llvm/llvm-project/pull/77183


More information about the libcxx-commits mailing list