This is the mail archive of the
libstdc++@gcc.gnu.org
mailing list for the libstdc++ project.
Re: [PATCH] Fix risks of buf overflow in money_put
- From: Nathan Myers <ncm-nospam at cantrip dot org>
- To: libstdc++ at gcc dot gnu dot org
- Date: Sun, 17 Mar 2002 03:28:48 +0000
- Subject: Re: [PATCH] Fix risks of buf overflow in money_put
- References: <3C93F91F.7BD4127F@unitus.it>
On Sun, Mar 17, 2002 at 03:02:07AM +0100, Paolo Carlini wrote:
> checking again the various locale facets for such kind of risk,
> I have found two more: the first is in money_put::do_put(long
> double), where __convert_from_v("%.01Lf") is used to print
> into a __builtin_alloca-ted temporary buffer; the second is in
> money_put::do_put(string), where a buffer is used when adding the
> grouping chars.
>
> Indeed, the testcase below segfaults if both of them are not fixed.
Uh-oh. Fortunately very few programs are likely to be using these yet.
Otherwise we might have to make a security announcement.
> IMO, the former can be dealt with in full generality only by enlarging
> the buffer to the real maximum expected size of the printed string.
> The latter, luckily, is fixed much more easily, since, in fact, the
> actual size of the integer part is known at that point.
Seems you shouldn't need a separate staging buffer for the string version.
Maybe the code is simpler that way.
It think the patch got damaged by your mailer.
Nathan Myers
ncm at cantrip dot org