This is the mail archive of the
gcc-patches@gcc.gnu.org
mailing list for the GCC project.
[v3] Fix risks of buf overflow in money_put
- From: Paolo Carlini <pcarlini at unitus dot it>
- To: gcc-patches at gcc dot gnu dot org
- Date: Tue, 19 Mar 2002 00:25:06 +0100
- Subject: [v3] Fix risks of buf overflow in money_put
Hi,
two of them, indeed. I took also the occasion to simplify a bit my recent
rewrote of collate::do_transform. Tested i686-pc-linux-gnu, approved by Benjamin
Kosnik.
Ciao, Paolo.
////////////
2002-03-18 Paolo Carlini <pcarlini@unitus.it>
* include/bits/locale_facets.tcc
(money_put::do_put(long double)): Fix dimensioning of
temporary buffers to avoid risk of overruns.
(money_put::do_put(string)): Same for the buffer used to
add the grouping chars.
* testsuite/22_locale/money_put_members_char.cc: Add test06.
* testsuite/22_locale/money_put_members_wchar_t.cc: Ditto.
* include/bits/locale_facets.tcc
(collate::do_transform): Simplify.
===================================================================
RCS file: /cvs/gcc/gcc/libstdc++-v3/include/bits/locale_facets.tcc,v
retrieving revision 1.71
retrieving revision 1.72
diff -u -r1.71 -r1.72
--- gcc/libstdc++-v3/include/bits/locale_facets.tcc 2002/03/10 23:51:31
1.71
+++ gcc/libstdc++-v3/include/bits/locale_facets.tcc 2002/03/18 23:11:55
1.72
@@ -1110,8 +1110,10 @@
long double __units) const
{
const locale __loc = __io.getloc();
- const ctype<_CharT>& __ctype = use_facet<ctype<_CharT> >(__loc);
- const int __n = numeric_limits<long double>::digits10;
+ const ctype<_CharT>& __ctype = use_facet<ctype<_CharT> >(__loc);
+ // max_exponent10 + 1 for the integer part, + 4 for sign, decimal point,
+ // decimal digit, '\0'.
+ const int __n = numeric_limits<long double>::max_exponent10 + 5;
char* __cs = static_cast<char*>(__builtin_alloca(sizeof(char) * __n));
_CharT* __ws = static_cast<_CharT*>(__builtin_alloca(sizeof(_CharT) *
__n));
int __len = __convert_from_v(__cs, "%.01Lf", __units, _S_c_locale);
@@ -1206,8 +1208,9 @@
: __mpf.thousands_sep();
const char* __gbeg = __grouping.c_str();
const char* __gend = __gbeg + __grouping.size();
- const int __n = numeric_limits<long double>::digits10 * 2;
- _CharT* __ws2 =
static_cast<_CharT*>(__builtin_alloca(sizeof(_CharT) * __n));
+ const int __n = (__end - __beg) * 2;
+ _CharT* __ws2 =
+ static_cast<_CharT*>(__builtin_alloca(sizeof(_CharT) *
__n));
_CharT* __ws_end = __add_grouping(__ws2, __sep, __gbeg,
__gend, __beg, __end);
__value.insert(0, __ws2, __ws_end - __ws2);
@@ -1863,10 +1866,9 @@
// If the buffer was not large enough, try again with the correct size.
if (__res >= __len)
{
- _CharT* __c2 =
+ __c =
static_cast<_CharT*>(__builtin_alloca(sizeof(_CharT) * (__res +
1)));
- _M_transform_helper(__c2, __lo, __res + 1);
- return string_type(__c2);
+ _M_transform_helper(__c, __lo, __res + 1);
}
return string_type(__c);
}
===================================================================
RCS file:
/cvs/gcc/gcc/libstdc++-v3/testsuite/22_locale/money_put_members_char.cc,v
retrieving revision 1.12
retrieving revision 1.13
diff -u -r1.12 -r1.13
--- gcc/libstdc++-v3/testsuite/22_locale/money_put_members_char.cc
2002/02/20 21:06:40 1.12
+++ gcc/libstdc++-v3/testsuite/22_locale/money_put_members_char.cc
2002/03/18 23:11:57 1.13
@@ -226,7 +226,7 @@
oss.setf(ios_base::showbase);
oss.str(empty);
- iterator_type os_it03 = mon_put.put(oss.rdbuf(), true, oss, ' ', digits1);
+ iterator_type os_it03 = mon_put.put(oss.rdbuf(), true, oss, ' ', digits1);
string result3 = oss.str();
VERIFY( result3 == "7.200.000.000,00 DEM ");
@@ -341,6 +341,33 @@
VERIFY( fmt.str() == "*(1,234.56)" );
}
+struct My_money_io_2 : public std::moneypunct<char,false>
+{
+ char_type do_thousands_sep() const { return ','; }
+ std::string do_grouping() const { return "\001"; }
+};
+
+// Make sure we can output a very big amount of money (with grouping too).
+void test06()
+{
+ using namespace std;
+ typedef ostreambuf_iterator<char> OutIt;
+
+ locale loc(locale::classic(), new My_money_io_2);
+
+ bool intl = false;
+
+ long double val = 1e50L;
+ const money_put<char,OutIt>& mp =
+ use_facet<money_put<char, OutIt> >(loc);
+
+ ostringstream fmt;
+ fmt.imbue(loc);
+ OutIt out(fmt);
+ mp.put(out,intl,fmt,'*',val);
+ VERIFY( fmt );
+}
+
int main()
{
test01();
@@ -348,5 +375,6 @@
test03();
test04();
test05();
+ test06();
return 0;
}
===================================================================
RCS file:
/cvs/gcc/gcc/libstdc++-v3/testsuite/22_locale/money_put_members_wchar_t.cc,v
retrieving revision 1.11
retrieving revision 1.12
diff -u -r1.11 -r1.12
--- gcc/libstdc++-v3/testsuite/22_locale/money_put_members_wchar_t.cc
2002/02/20 21:06:40 1.11
+++ gcc/libstdc++-v3/testsuite/22_locale/money_put_members_wchar_t.cc
2002/03/18 23:11:57 1.12
@@ -226,7 +226,7 @@
oss.setf(ios_base::showbase);
oss.str(empty);
- iterator_type os_it03 = mon_put.put(oss.rdbuf(), true, oss, ' ', digits1);
+ iterator_type os_it03 = mon_put.put(oss.rdbuf(), true, oss, ' ', digits1);
wstring result3 = oss.str();
VERIFY( result3 == L"7.200.000.000,00 DEM ");
@@ -340,6 +340,33 @@
mp.put(out,intl,fmt,L'*',val);
VERIFY( fmt.str() == L"*(1,234.56)" );
}
+
+struct My_money_io_2 : public std::moneypunct<wchar_t,false>
+{
+ char_type do_thousands_sep() const { return L','; }
+ std::string do_grouping() const { return "\001"; }
+};
+
+// Make sure we can output a very big amount of money (with grouping too).
+void test06()
+{
+ using namespace std;
+ typedef ostreambuf_iterator<wchar_t> OutIt;
+
+ locale loc(locale::classic(), new My_money_io_2);
+
+ bool intl = false;
+
+ long double val = 1e50L;
+ const money_put<wchar_t,OutIt>& mp =
+ use_facet<money_put<wchar_t, OutIt> >(loc);
+
+ wostringstream fmt;
+ fmt.imbue(loc);
+ OutIt out(fmt);
+ mp.put(out,intl,fmt,'*',val);
+ VERIFY( fmt );
+}
#endif
int main()
@@ -350,6 +377,7 @@
test03();
test04();
test05();
+ test06();
#endif
return 0;
}