From patchwork Fri Jan 5 14:42:56 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jonathan Wakely X-Patchwork-Id: 185445 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a05:7301:6f82:b0:100:9c79:88ff with SMTP id tb2csp6311522dyb; Fri, 5 Jan 2024 08:03:51 -0800 (PST) X-Google-Smtp-Source: AGHT+IHUzE2Yx7bNXYCaTESKNLz1fnEgGmglGfPXX9hpDACPj7tPFxg2LecL6AbqMQd+JK9lx6rj X-Received: by 2002:a05:6358:2c8e:b0:172:ac48:eb04 with SMTP id l14-20020a0563582c8e00b00172ac48eb04mr2082497rwm.64.1704470631215; Fri, 05 Jan 2024 08:03:51 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1704470631; cv=pass; d=google.com; s=arc-20160816; b=NiOs9cqs6D8FfrUNiVPJFvOB4kEDoTn876EFz/VVpglPQ8CvIbPCh4lDzHjnisKvSF cw2TvLZ12CHN2n+fRMnWtTfZBXybZM+XP1Aq2F4j+DnRGqxKsgXfw+6xFLrmXR8RWF7u 7KwKe4Rm8SQ4aCE3G/sRsu9V2OROrBHwqHh1S7bJZCOfR5VR0v9X8WABO6Bb20bPcEES 90Tdj8BVronT0To7Hli3+gi+fb5QGDmewlaGEP2A+Ig6k+drFikg2uo++12QiYSp6bE1 oXub7sec/vLYM7o4F2dCSh+GjQOil6KJLQ4hB8WSEwVymAMLY5JeYP6Jzc2678uuFJfa hLFA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature:arc-filter:dmarc-filter:delivered-to; bh=Jtd+uuFs896Sic0Q8OqsPHT86/Vj3FRIg6ficAj0kuI=; fh=6zjLWTEa5AX4yQ8BdR6ebqS2lmiRZp9Cr6ZNqvFrEoY=; b=N6DdkCLUv4NCNJ0xEDkp1N6Ouvf7iXFwlg7GWhMB+d9GqBU7Vf84q+mCpAoY7c+d3b RXgMtzGWGDJ4euZJr86PQbihRn+w2lCNoQbxBJUodkvyVaTJfSNz6d3w+f+k6wgC1Li4 xVrvgei1ihBEtNFrR7FJb2x3g6KsRh/S1RnmeM0eRsoWEim5AIr580BX8Gvwr/RjWYYx NIweWi2UUy4SjrWGEyiNxva2N6wUf2qfHcZeehEzYlHPxV3bH8MmHI2T+iFAp90YA7bZ 9ZIECFJvYmgSVqsDci8TkIu4jI19CxIUfL8XwHVbCfUc2QV2811W0APM7zmNkpAoPoHN mqUQ== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=FXWBCT5a; arc=pass (i=1); spf=pass (google.com: domain of gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org designates 2620:52:3:1:0:246e:9693:128c as permitted sender) smtp.mailfrom="gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: from server2.sourceware.org (server2.sourceware.org. [2620:52:3:1:0:246e:9693:128c]) by mx.google.com with ESMTPS id l2-20020a67fe02000000b00466ea80b3bcsi184404vsr.44.2024.01.05.08.03.51 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 05 Jan 2024 08:03:51 -0800 (PST) Received-SPF: pass (google.com: domain of gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org designates 2620:52:3:1:0:246e:9693:128c as permitted sender) client-ip=2620:52:3:1:0:246e:9693:128c; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=FXWBCT5a; arc=pass (i=1); spf=pass (google.com: domain of gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org designates 2620:52:3:1:0:246e:9693:128c as permitted sender) smtp.mailfrom="gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id BD8CB386F44C for ; Fri, 5 Jan 2024 14:44:19 +0000 (GMT) X-Original-To: gcc-patches@gcc.gnu.org Delivered-To: gcc-patches@gcc.gnu.org Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by sourceware.org (Postfix) with ESMTPS id 4FB52386C59E for ; Fri, 5 Jan 2024 14:43:27 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 4FB52386C59E Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=redhat.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=redhat.com ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 4FB52386C59E Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=170.10.133.124 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1704465809; cv=none; b=foz/rtttzghvc6auSq7qeSMVO/fYEF9cP09IGInT40g8OGXOqv8KnNLcc3+CqFCzsCC6csE5WE3Q3cqj0PsMzMv5aW+aePHt6vycSVPweyOdrP9gRC98xJZV/AywMe87TssLPFZX5lJ6uy2UK5cLQ3OBMCLmX+fpzCeCocTZlto= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1704465809; c=relaxed/simple; bh=MpPn9V6MV5tVrYHirFpTEPQZz1p1Ws63p6IZeuDxavI=; h=DKIM-Signature:From:To:Subject:Date:Message-ID:MIME-Version; b=M6lAcv4dXdzl8zkrbxNPJb/Bg0niepAPYkXUZuao1sbhBwmjpmk4B9YN/n/SWjE4IGAmViqlGCskxUQ2eHfnsaoFb8jjNgGaIFYJtAtaw+Dx2XM1HohrQWlsrfNd+m9E4Zkwc45Nh1B85SP7v5OOA1pvj2HmunfY37RHtzhX5/Q= ARC-Authentication-Results: i=1; server2.sourceware.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1704465807; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Jtd+uuFs896Sic0Q8OqsPHT86/Vj3FRIg6ficAj0kuI=; b=FXWBCT5ajnce4ZV7To62lPkvhL4Cm8VzN4zT5/nvMMtofKHr+0gYQFB3L8FC0WNroW9Zdq R5OwQ4Vrdg/YezGQc3jpuEWQrWMTsytT8Mey+QRLbE21BTfOn3296H0y+HxyHob8ft4qlw 3RStjwTvz/ilOoBUWJCOgExXbkm4MzM= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-660-6MnT4yooNb-l55khwJsL6w-1; Fri, 05 Jan 2024 09:43:25 -0500 X-MC-Unique: 6MnT4yooNb-l55khwJsL6w-1 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.rdu2.redhat.com [10.11.54.8]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 828AE101A58E; Fri, 5 Jan 2024 14:43:25 +0000 (UTC) Received: from localhost (unknown [10.42.28.185]) by smtp.corp.redhat.com (Postfix) with ESMTP id 32EBCC15968; Fri, 5 Jan 2024 14:43:25 +0000 (UTC) From: Jonathan Wakely To: libstdc++@gcc.gnu.org, gcc-patches@gcc.gnu.org Cc: =?utf-8?q?Martin_K=C3=BCttler?= Subject: [committed] libstdc++: Avoid overflow when appending to std::filesystem::path Date: Fri, 5 Jan 2024 14:42:56 +0000 Message-ID: <20240105144324.3257646-1-jwakely@redhat.com> In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.8 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com X-Spam-Status: No, score=-13.1 required=5.0 tests=BAYES_00, DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL, SPF_HELO_NONE, SPF_NONE, TXREP, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: gcc-patches@gcc.gnu.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Gcc-patches mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1787266996532735484 X-GMAIL-MSGID: 1787266996532735484 Tested x86_64-linux. Pushed to trunk. -- >8 -- This prevents a std::filesystem::path from exceeding INT_MAX/4 components (which is unlikely to ever be a problem except on 16-bit targets). That limit ensures that the capacity*1.5 calculation doesn't overflow. We should also check that we don't exceed SIZE_MAX when calculating how many bytes to allocate. That only needs to be checked when int is at least as large as size_t, because otherwise we know that the product INT_MAX/4 * sizeof(value_type) will fit in SIZE_MAX. For targets where size_t is twice as wide as int this obviously holds. For msp430-elf we have 16-bit int and 20-bit size_t, so the condition holds as long as sizeof(value_type) fits in 7 bits, which it does. We can also remove some floating-point arithmetic in operator/= which ensures exponential growth of the buffer. That's redundant because path::_List::reserve does that anyway (and does so more efficiently since the commit immediately before this one). libstdc++-v3/ChangeLog: * src/c++17/fs_path.cc (path::_List::reserve): Limit maximum size and check for overflows in arithmetic. (path::operator/=(const path&)): Remove redundant exponential growth calculation. --- libstdc++-v3/src/c++17/fs_path.cc | 35 +++++++++++++++++++++---------- 1 file changed, 24 insertions(+), 11 deletions(-) diff --git a/libstdc++-v3/src/c++17/fs_path.cc b/libstdc++-v3/src/c++17/fs_path.cc index a2d3c54a88a..d33b8d96663 100644 --- a/libstdc++-v3/src/c++17/fs_path.cc +++ b/libstdc++-v3/src/c++17/fs_path.cc @@ -35,6 +35,7 @@ #include #include #include +#include // __gnu_cxx::__int_traits namespace fs = std::filesystem; using fs::path; @@ -447,11 +448,30 @@ path::_List::reserve(int newcap, bool exact = false) if (curcap < newcap) { - const int nextcap = curcap + curcap / 2; - if (!exact && newcap < nextcap) - newcap = nextcap; + if (!exact) + { + const int nextcap = curcap + curcap / 2; + if (newcap < nextcap) + newcap = nextcap; + } - void* p = ::operator new(sizeof(_Impl) + newcap * sizeof(value_type)); + using __gnu_cxx::__int_traits; + // Nobody should need paths with this many components. + if (newcap >= __int_traits::__max / 4) + std::__throw_bad_alloc(); + + size_t bytes; + if constexpr (__int_traits::__max >= __int_traits::__max) + { + size_t components; + if (__builtin_mul_overflow(newcap, sizeof(value_type), &components) + || __builtin_add_overflow(sizeof(_Impl), components, &bytes)) + std::__throw_bad_alloc(); + } + else // This won't overflow, even for 20-bit size_t on msp430. + bytes = sizeof(_Impl) + newcap * sizeof(value_type); + + void* p = ::operator new(bytes); std::unique_ptr<_Impl, _Impl_deleter> newptr(::new(p) _Impl{newcap}); const int cursize = curptr ? curptr->size() : 0; if (cursize) @@ -588,13 +608,6 @@ path::operator/=(const path& __p) ++capacity; // Need to insert root-directory after root-name #endif - if (orig_type == _Type::_Multi) - { - const int curcap = _M_cmpts._M_impl->capacity(); - if (capacity > curcap) - capacity = std::max(capacity, (int) (curcap * 1.5)); - } - _M_pathname.reserve(_M_pathname.length() + sep.length() + __p._M_pathname.length());