| Message ID | 3619b32b-e7cb-7e67-2fea-67e3d9c5377a@pauldreik.se |
|---|---|
| State | Not Applicable |
| Headers |
Return-Path: <gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a59:a7d1:0:b0:3f2:4152:657d with SMTP id p17csp655330vqm;
Wed, 23 Aug 2023 11:50:43 -0700 (PDT)
X-Google-Smtp-Source:
AGHT+IE9xqfxhK8pj6O0y/pvv1NaWMA5G9JtVkQpt6DbGVADGoLIGi35OdKXGlu7e3xspegaqOP7
X-Received: by 2002:a17:907:2cf7:b0:99c:825:6076 with SMTP id
hz23-20020a1709072cf700b0099c08256076mr10081573ejc.35.1692816643101;
Wed, 23 Aug 2023 11:50:43 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1692816643; cv=none;
d=google.com; s=arc-20160816;
b=O985cdNIYL5Mzp3UJ6Uzx5taXzY8l3W7/Jjn7C9qudn/sifmYaVDG+122AeIksGFDy
wi0HwQVORvwvEVHwWLJhWwGqmzk/dTZXO8ZMF1vY1YDPVxbmSCYbnfmwwKXeVvXaqDoK
2eK+jiT1aB/v0Ndrwjei+2t85L4EciITJQWNobUZ9L4zYxBkJ/Q5QNERiz+TcozCIJ3e
bU2fJbHFJ45hbVFgVYoFPKFe4DXAwWPt9LF0mIOXDvJbstTDMCCt55U4Zu28PU0UbgLk
Mnf2drKsTifB9TXaDrc08l3pw16JMtCB+4TbPSyyWwRdf2PmGnjv3jwXK4tm/z690/lz
X7CA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=sender:errors-to:reply-to:from:list-subscribe:list-help:list-post
:list-archive:list-unsubscribe:list-id:precedence:subject:cc
:content-language:to:user-agent:mime-version:date:message-id
:dmarc-filter:delivered-to:dkim-signature:dkim-filter;
bh=0lu3l0D0K8TDHs1Oo6tp8aQ80IrNy1whZC1Rkmlbl6g=;
fh=dU/7qDSCvCC+nnZQeUTiJO0/zE0zklOlr0YTlvyCabs=;
b=D7jxN5cmT7SR3joGUMdsxFzlJwIq5rDPYz5M7Nlclh4yikR3Td/j/2chKqVgjyU5Tf
4OY7/Pdrz3dOGfY2khqDKGRxb6PY2Vvly4RBxv9jjE0r2ss+YbcyK/c5ijcVxinbYVao
4a5q5q/FCD3xVcKUkoS6uWDGlcukveEXxPcpe0FJh30aUYY2dAWOwPa9wCie4KDcIvXl
RNT3ExqXAgX3/P90UERpPIzfLB7y2hOgRHtBXeR443NeqG258a5fviZfK6kx0V6r8hqA
PaMEqY62RwcOyHXkM7mju+GolThVr6KwdbWWO1JI5BRu710EDNShY8h+Qka54Ks5qAoi
bxvQ==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@gcc.gnu.org header.s=default header.b=xBa1yrr7;
spf=pass (google.com: domain of
gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org designates 8.43.85.97 as
permitted sender)
smtp.mailfrom="gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org";
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gnu.org
Received: from server2.sourceware.org (ip-8-43-85-97.sourceware.org.
[8.43.85.97])
by mx.google.com with ESMTPS id
b6-20020a1709063f8600b0099bcadfde72si9317918ejj.364.2023.08.23.11.50.42
for <ouuuleilei@gmail.com>
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Wed, 23 Aug 2023 11:50:43 -0700 (PDT)
Received-SPF: pass (google.com: domain of
gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org designates 8.43.85.97 as
permitted sender) client-ip=8.43.85.97;
Authentication-Results: mx.google.com;
dkim=pass header.i=@gcc.gnu.org header.s=default header.b=xBa1yrr7;
spf=pass (google.com: domain of
gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org designates 8.43.85.97 as
permitted sender)
smtp.mailfrom="gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org";
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gnu.org
Received: from server2.sourceware.org (localhost [IPv6:::1])
by sourceware.org (Postfix) with ESMTP id E43A9385E007
for <ouuuleilei@gmail.com>; Wed, 23 Aug 2023 18:50:03 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org E43A9385E007
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gcc.gnu.org;
s=default; t=1692816603;
bh=0lu3l0D0K8TDHs1Oo6tp8aQ80IrNy1whZC1Rkmlbl6g=;
h=Date:To:Cc:Subject:List-Id:List-Unsubscribe:List-Archive:
List-Post:List-Help:List-Subscribe:From:Reply-To:From;
b=xBa1yrr7dQNbuRvTOY8PE//L6VPfD8CmBT9/GUHIqoGTIKU4xrYakwsQhWFrTAQuR
W3oFULiedjZ5bedfsjCXfKlYaYA0y+45QSdG98SY0n9BNaUQT3OPMxMYSSwKIoctmh
ADhfj7rLeIF/y7iVCdw4ztmgSV/lxwtrljcRFVks=
X-Original-To: gcc-patches@gcc.gnu.org
Delivered-To: gcc-patches@gcc.gnu.org
Received: from ts201-smtpout71.ddc.teliasonera.net
(ts201-smtpout71.ddc.teliasonera.net [81.236.60.178])
by sourceware.org (Postfix) with ESMTP id 56022385E006;
Wed, 23 Aug 2023 18:48:30 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 56022385E006
X-RG-Rigid: 63C2577F08F64BE7
X-Originating-IP: [90.231.147.135]
X-RazorGate-Vade:
gggruggvucftvghtrhhoucdtuddrgedviedruddvgedguddvkecutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfvgffnkfetufghpdggtfgfnhhsuhgsshgtrhhisggvpdfqfgfvnecuuegrihhlohhuthemuceftddtnecunecujfgurhepkfffgggfvfevhffutgesghdtreertdefjeenucfhrhhomheprfgruhhlucffrhgvihhkuceoghgttghprghttghhvghssehprghulhgurhgvihhkrdhsvgeqnecuggftrfgrthhtvghrnhepleehgffgheetjeeiheelheeiheeiieekheethefggfetueejteegvefgvdegueejnecukfhppeeltddrvdefuddrudegjedrudefheenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhephhgvlhhopehmrghilhhsvghrvhgvrhdrughrvghikhdrshgvpdhinhgvthepledtrddvfedurddugeejrddufeehpdhmrghilhhfrhhomhepghgttghprghttghhvghssehprghulhgurhgvihhkrdhsvgdpnhgspghrtghpthhtohepvddprhgtphhtthhopehgtggtqdhprghttghhvghssehgtggtrdhgnhhurdhorhhgpdhrtghpthhtoheplhhisghsthgutgdoodesghgttgdrghhnuhdrohhrgh
X-RazorGate-Vade-Verdict: clean 0
X-RazorGate-Vade-Classification: clean
Received: from mailserver.dreik.se (90.231.147.135) by
ts201-smtpout71.ddc.teliasonera.net (5.8.716)
id 63C2577F08F64BE7; Wed, 23 Aug 2023 20:48:28 +0200
Received: from [192.168.122.88] (OpenWrt.lan [192.168.1.1])
(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
SHA256)
(No client certificate requested)
by mailserver.dreik.se (Postfix) with ESMTPSA id EC46523EF2B;
Wed, 23 Aug 2023 20:48:27 +0200 (CEST)
Message-ID: <3619b32b-e7cb-7e67-2fea-67e3d9c5377a@pauldreik.se>
Date: Wed, 23 Aug 2023 20:48:25 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
Thunderbird/102.14.0
To: gcc-patches@gcc.gnu.org
Content-Language: en-US
Cc: libstdc++@gcc.gnu.org
Subject: [PATCH] Fix for bug libstdc++/111102 pointer arithmetic on nullptr
Content-Type: multipart/signed; micalg=pgp-sha256;
protocol="application/pgp-signature";
boundary="------------eSGyoU2zYj48DT130kfNbyju"
X-Spam-Status: No, score=-13.2 required=5.0 tests=BAYES_00, DKIM_SIGNED,
DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, SPF_HELO_NONE,
SPF_PASS,
TXREP autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
server2.sourceware.org
X-BeenThere: gcc-patches@gcc.gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Gcc-patches mailing list <gcc-patches.gcc.gnu.org>
List-Unsubscribe: <https://gcc.gnu.org/mailman/options/gcc-patches>,
<mailto:gcc-patches-request@gcc.gnu.org?subject=unsubscribe>
List-Archive: <https://gcc.gnu.org/pipermail/gcc-patches/>
List-Post: <mailto:gcc-patches@gcc.gnu.org>
List-Help: <mailto:gcc-patches-request@gcc.gnu.org?subject=help>
List-Subscribe: <https://gcc.gnu.org/mailman/listinfo/gcc-patches>,
<mailto:gcc-patches-request@gcc.gnu.org?subject=subscribe>
From: Paul Dreik via Gcc-patches <gcc-patches@gcc.gnu.org>
Reply-To: Paul Dreik <gccpatches@pauldreik.se>
Errors-To: gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org
Sender: "Gcc-patches" <gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org>
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1775046904794967236
X-GMAIL-MSGID: 1775046904794967236
|
| Series |
Fix for bug libstdc++/111102 pointer arithmetic on nullptr
|
|
Checks
| Context | Check | Description |
|---|---|---|
| snail/gcc-patch-check | fail | Git am fail log |
Commit Message
Paul Dreik
Aug. 23, 2023, 6:48 p.m. UTC
This fixes pointer arithmetic made on a null pointer, which I found
through fuzzing.
Tested on debian/amd64.
Thanks, Paul
------------------------------------------------------------------------
commit 78ac41590432f4f01036797fd9d661f6ed80cf37 (HEAD -> master)
Author: Paul Dreik <gccpatches@pauldreik.se>
Date: Tue Aug 22 19:16:57 2023 +0200
libstdc++: fix illegal pointer arithmetic in format
when parsing a format string, the width is parsed into an unsigned
short
but the result is not checked in the case the format string is not a
char string (such as a wide string). in case the parse fails,
a null pointer is returned which is used for pointer arithmetic
which is undefined behaviour.
Signed-off-by: Paul Dreik <gccpatches@pauldreik.se>
}
Comments
On Wed, 23 Aug 2023 at 19:48, Paul Dreik via Libstdc++ <libstdc++@gcc.gnu.org> wrote: > > This fixes pointer arithmetic made on a null pointer, which I found > through fuzzing. > Tested on debian/amd64. > > Thanks, Paul Thanks. Pushed to trunk, backport to gcc-13 to follow. I also added your testcase from the bug report to the testsuite. > > ------------------------------------------------------------------------ > commit 78ac41590432f4f01036797fd9d661f6ed80cf37 (HEAD -> master) > Author: Paul Dreik <gccpatches@pauldreik.se> > Date: Tue Aug 22 19:16:57 2023 +0200 > > libstdc++: fix illegal pointer arithmetic in format > > when parsing a format string, the width is parsed into an unsigned > short > but the result is not checked in the case the format string is not a > char string (such as a wide string). in case the parse fails, > a null pointer is returned which is used for pointer arithmetic > which is undefined behaviour. > > Signed-off-by: Paul Dreik <gccpatches@pauldreik.se> > > diff --git a/libstdc++-v3/include/std/format > b/libstdc++-v3/include/std/format > index f3d9ae152f..fe2caa5868 100644 > --- a/libstdc++-v3/include/std/format > +++ b/libstdc++-v3/include/std/format > @@ -285,7 +285,8 @@ namespace __format > for (int __i = 0; __i < __n && (__first + __i) != __last; ++__i) > __buf[__i] = __first[__i]; > auto [__v, __ptr] = __format::__parse_integer(__buf, __buf + > __n); > - return {__v, __first + (__ptr - __buf)}; > + if (__ptr) [[likely]] > + return {__v, __first + (__ptr - __buf)}; > } > return {0, nullptr}; > }
diff --git a/libstdc++-v3/include/std/format b/libstdc++-v3/include/std/format index f3d9ae152f..fe2caa5868 100644 --- a/libstdc++-v3/include/std/format +++ b/libstdc++-v3/include/std/format @@ -285,7 +285,8 @@ namespace __format for (int __i = 0; __i < __n && (__first + __i) != __last; ++__i) __buf[__i] = __first[__i]; auto [__v, __ptr] = __format::__parse_integer(__buf, __buf + __n); - return {__v, __first + (__ptr - __buf)}; + if (__ptr) [[likely]] + return {__v, __first + (__ptr - __buf)}; } return {0, nullptr};