libstdc++: Fix std::to_chars buffer overflow (PR 95851)

The __detail::__to_chars_2 function assumes it won't be called with zero values. However, when the output buffer is empty the caller doesn't handle zero values correctly, and calls __to_chars_2 with a zero value, resulting in an overflow of the empty buffer. The __detail::__to_chars_i function should just return immediately for an empty buffer, and otherwise ensure zero values are handled properly. libstdc++-v3/ChangeLog: PR libstdc++/95851 * include/std/charconv (__to_chars_i): Check for zero-sized buffer unconditionally. * testsuite/20_util/to_chars/95851.cc: New test. (cherry picked from commit be50843754b4c4d47f0d628a84b3dbf2a4145a43)

libstdc++: Fix std::to_chars buffer overflow (PR 95851)
The __detail::__to_chars_2 function assumes it won't be called with zero values. However, when the output buffer is empty the caller doesn't handle zero values correctly, and calls __to_chars_2 with a zero value, resulting in an overflow of the empty buffer. The __detail::__to_chars_i function should just return immediately for an empty buffer, and otherwise ensure zero values are handled properly. libstdc++-v3/ChangeLog: PR libstdc++/95851 * include/std/charconv (__to_chars_i): Check for zero-sized buffer unconditionally. * testsuite/20_util/to_chars/95851.cc: New test. (cherry picked from commit be50843754b4c4d47f0d628a84b3dbf2a4145a43)
ff5c8fe4 · Jonathan Wakely · f3a27a61 · ff5c8fe4 · ff5c8fe4
Commit ff5c8fe4 authored Jun 23, 2020 by Jonathan Wakely
Hide whitespace changes
Inline Side-by-side

Showing with 40 additions and 1 deletions

libstdc++-v3/include/std/charconv
+4 -1

libstdc++-v3/testsuite/20_util/to_chars/95851.cc
+36 -0

No files found.
--- a/libstdc++-v3/include/std/charconv
+++ b/libstdc++-v3/include/std/charconv
@@ -327,7 +327,10 @@ namespace __detail
      using _Up = __detail::__unsigned_least_t<_Tp>;
      _Up __unsigned_val = __value;

-      if (__value == 0 && __first != __last)
+      if (__first == __last) [[__unlikely__]]
+	return { __last, errc::value_too_large };
+
+      if (__value == 0)
 	{
 	  *__first = '0';
 	  return { __first + 1, errc{} };

--- a/libstdc++-v3/testsuite/20_util/to_chars/95851.cc
+++ b/libstdc++-v3/testsuite/20_util/to_chars/95851.cc
+// Copyright (C) 2020 Free Software Foundation, Inc.
+//
+// This file is part of the GNU ISO C++ Library.  This library is free
+// software; you can redistribute it and/or modify it under the
+// terms of the GNU General Public License as published by the
+// Free Software Foundation; either version 3, or (at your option)
+// any later version.
+
+// This library is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+
+// You should have received a copy of the GNU General Public License along
+// with this library; see the file COPYING3.  If not see
+// <http://www.gnu.org/licenses/>.
+
+// { dg-do run { target c++14 } }
+
+#include <charconv>
+#include <testsuite_hooks.h>
+
+void
+test01()
+{
+  char* p = nullptr;
+  auto res = std::to_chars(p, p, 0, 2); // PR libstdc++/95851
+  VERIFY( res.ptr == p );
+  VERIFY( res.ec == std::errc::value_too_large );
+}
+
+int
+main()
+{
+  test01();
+}