This is the mail archive of the
gcc-prs@gcc.gnu.org
mailing list for the GCC project.
libstdc++/1066: bad use of strchr() in std::string
- To: gcc-gnats at gcc dot gnu dot org
- Subject: libstdc++/1066: bad use of strchr() in std::string
- From: bgarcia at laurelnetworks dot com
- Date: 14 Dec 2000 19:23:33 -0000
- Reply-To: bgarcia at laurelnetworks dot com
>Number: 1066
>Category: libstdc++
>Synopsis: bad use of strchr() in std::string
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: unassigned
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Thu Dec 14 11:26:01 PST 2000
>Closed-Date:
>Last-Modified:
>Originator: bgarcia@laurelnetworks.com
>Release: head of line
>Organization:
>Environment:
#if _GLIBCPP_INSTANTIATING_CHAR
>Description:
in src/string-inst.cc:
#if _GLIBCPP_INSTANTIATING_CHAR
template<>
const char*
string::_S_find(const char* __beg, const char* __end, char __c)
{
char* __retval = strchr(__beg, __c);
return (__retval ? __retval : __end);
}
#else
...
The problem here is that strchr() is expecting the
char array to end with a 0 byte. This doesn't necessarily
happen in std::string. So strchr() could end up
accessing memory past the end of the array. This makes
efence very angry :^)
>How-To-Repeat:
>Fix:
Well, one possible fix (untested):
#if _GLIBCPP_INSTANTIATING_CHAR
template<>
const char*
string::_S_find(const char* __beg, const char* __end, char __c)
{
return find_if(__beg, __end,
_Char_traits_match<char, traits_type>(__c));
}
#else
...
>Release-Note:
>Audit-Trail:
>Unformatted: