Bug 48917 - istringstream with integer overflow causes uninitialised memory accesses
Summary: istringstream with integer overflow causes uninitialised memory accesses
Status: RESOLVED WORKSFORME
Alias: None
Product: gcc
Classification: Unclassified
Component: libstdc++ (show other bugs)
Version: 4.2.1
: P3 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-05-06 13:39 UTC by Robert Lupton
Modified: 2011-05-06 13:51 UTC (History)
0 users

See Also:
Host:
Target:
Build:
Known to work: 4.5.3, 4.6.0, 4.7.0
Known to fail:
Last reconfirmed:

Attachments
Source code to reproduce the problem (127 bytes, application/x-msdownload)
2011-05-06 13:39 UTC, Robert Lupton 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Lupton 2011-05-06 13:39:12 UTC 
Created attachment 24200 [details]
Source code to reproduce the problem

The attached program, if run on a machine with 32-bit ints (e.g. my macbook pro, but also linux boxes) causes valgrind to report memory problems.  The problem is avoided by declaring n long if sizeof(long) == 8 which suggests an overflow issue.

N.b. while the g++ version is 4.2.1, the libstdc++ appears to be 6.0.9

Run as
g++ -o badFormat badFormat.cc -Wall -g && valgrind badFormat

(N.b. the error persists compiling with clang++, but using libstdc++)

Errors:
g++ -o badFormat badFormat.cc -Wall -g && valgrind badFormat
==14920== Memcheck, a memory error detector
==14920== Copyright (C) 2002-2010, and GNU GPL'd, by Julian Seward et al.
==14920== Using Valgrind-3.7.0.SVN and LibVEX; rerun with -h for copyright info
==14920== Command: badFormat
==14920== 
==14920== Conditional jump or move depends on uninitialised value(s)
==14920==    at 0x10004632E: std::ostreambuf_iterator<char, std::char_traits<char> > std::num_put<char, std::ostreambuf_iterator<char, std::char_traits<char> > >::_M_insert_int<long>(std::ostreambuf_iterator<char, std::char_traits<char> >, std::ios_base&, char, long) const (in /usr/lib/libstdc++.6.0.9.dylib)
==14920==    by 0x1000464F4: std::num_put<char, std::ostreambuf_iterator<char, std::char_traits<char> > >::do_put(std::ostreambuf_iterator<char, std::char_traits<char> >, std::ios_base&, char, long) const (in /usr/lib/libstdc++.6.0.9.dylib)
==14920==    by 0x10004D257: std::ostream& std::ostream::_M_insert<long>(long) (in /usr/lib/libstdc++.6.0.9.dylib)
==14920==    by 0x100000B9D: main (badFormat.cc:8)
==14920== 
==14920== Use of uninitialised value of size 8
==14920==    at 0x10003F3E0: int std::__int_to_char<char, unsigned long>(char*, unsigned long, char const*, std::_Ios_Fmtflags, bool) (in /usr/lib/libstdc++.6.0.9.dylib)
==14920==    by 0x100046358: std::ostreambuf_iterator<char, std::char_traits<char> > std::num_put<char, std::ostreambuf_iterator<char, std::char_traits<char> > >::_M_insert_int<long>(std::ostreambuf_iterator<char, std::char_traits<char> >, std::ios_base&, char, long) const (in /usr/lib/libstdc++.6.0.9.dylib)
==14920==    by 0x1000464F4: std::num_put<char, std::ostreambuf_iterator<char, std::char_traits<char> > >::do_put(std::ostreambuf_iterator<char, std::char_traits<char> >, std::ios_base&, char, long) const (in /usr/lib/libstdc++.6.0.9.dylib)
==14920==    by 0x10004D257: std::ostream& std::ostream::_M_insert<long>(long) (in /usr/lib/libstdc++.6.0.9.dylib)
==14920==    by 0x100000B9D: main (badFormat.cc:8)
==14920== 
==14920== Conditional jump or move depends on uninitialised value(s)
==14920==    at 0x10003F3EE: int std::__int_to_char<char, unsigned long>(char*, unsigned long, char const*, std::_Ios_Fmtflags, bool) (in /usr/lib/libstdc++.6.0.9.dylib)
==14920==    by 0x100046358: std::ostreambuf_iterator<char, std::char_traits<char> > std::num_put<char, std::ostreambuf_iterator<char, std::char_traits<char> > >::_M_insert_int<long>(std::ostreambuf_iterator<char, std::char_traits<char> >, std::ios_base&, char, long) const (in /usr/lib/libstdc++.6.0.9.dylib)
==14920==    by 0x1000464F4: std::num_put<char, std::ostreambuf_iterator<char, std::char_traits<char> > >::do_put(std::ostreambuf_iterator<char, std::char_traits<char> >, std::ios_base&, char, long) const (in /usr/lib/libstdc++.6.0.9.dylib)
==14920==    by 0x10004D257: std::ostream& std::ostream::_M_insert<long>(long) (in /usr/lib/libstdc++.6.0.9.dylib)
==14920==    by 0x100000B9D: main (badFormat.cc:8)
==14920== 
==14920== Conditional jump or move depends on uninitialised value(s)
==14920==    at 0x1000463C1: std::ostreambuf_iterator<char, std::char_traits<char> > std::num_put<char, std::ostreambuf_iterator<char, std::char_traits<char> > >::_M_insert_int<long>(std::ostreambuf_iterator<char, std::char_traits<char> >, std::ios_base&, char, long) const (in /usr/lib/libstdc++.6.0.9.dylib)
==14920==    by 0x1000464F4: std::num_put<char, std::ostreambuf_iterator<char, std::char_traits<char> > >::do_put(std::ostreambuf_iterator<char, std::char_traits<char> >, std::ios_base&, char, long) const (in /usr/lib/libstdc++.6.0.9.dylib)
==14920==    by 0x10004D257: std::ostream& std::ostream::_M_insert<long>(long) (in /usr/lib/libstdc++.6.0.9.dylib)
==14920==    by 0x100000B9D: main (badFormat.cc:8)
==14920== 
==14920== Conditional jump or move depends on uninitialised value(s)
==14920==    at 0x1000463D6: std::ostreambuf_iterator<char, std::char_traits<char> > std::num_put<char, std::ostreambuf_iterator<char, std::char_traits<char> > >::_M_insert_int<long>(std::ostreambuf_iterator<char, std::char_traits<char> >, std::ios_base&, char, long) const (in /usr/lib/libstdc++.6.0.9.dylib)
==14920==    by 0x1000464F4: std::num_put<char, std::ostreambuf_iterator<char, std::char_traits<char> > >::do_put(std::ostreambuf_iterator<char, std::char_traits<char> >, std::ios_base&, char, long) const (in /usr/lib/libstdc++.6.0.9.dylib)
==14920==    by 0x10004D257: std::ostream& std::ostream::_M_insert<long>(long) (in /usr/lib/libstdc++.6.0.9.dylib)
==14920==    by 0x100000B9D: main (badFormat.cc:8)
==14920== 
0
==14920== 
==14920== HEAP SUMMARY:
==14920==     in use at exit: 4,184 bytes in 2 blocks
==14920==   total heap usage: 4 allocs, 2 frees, 4,256 bytes allocated
==14920== 
==14920== LEAK SUMMARY:
==14920==    definitely lost: 0 bytes in 0 blocks
==14920==    indirectly lost: 0 bytes in 0 blocks
==14920==      possibly lost: 0 bytes in 0 blocks
==14920==    still reachable: 4,184 bytes in 2 blocks
==14920==         suppressed: 0 bytes in 0 blocks
==14920== Rerun with --leak-check=full to see details of leaked memory
==14920== 
==14920== For counts of detected and suppressed errors, rerun with: -v
==14920== Use --track-origins=yes to see where uninitialised values come from
==14920== ERROR SUMMARY: 5 errors from 5 contexts (suppressed: 0 from 0)
Comment 1 Paolo Carlini 2011-05-06 13:51:07 UTC 
Everything if fine in the active branches.