This is the mail archive of the libstdc++@gcc.gnu.org mailing list for the libstdc++ project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: [PATCH] Fix risks of buf overflow in money_put

From: Nathan Myers <ncm-nospam at cantrip dot org>
To: libstdc++ at gcc dot gnu dot org
Date: Sun, 17 Mar 2002 03:28:48 +0000
Subject: Re: [PATCH] Fix risks of buf overflow in money_put
References: <3C93F91F.7BD4127F@unitus.it>

On Sun, Mar 17, 2002 at 03:02:07AM +0100, Paolo Carlini wrote:
> checking again the various locale facets for such kind of risk,
> I have found two more: the first is in money_put::do_put(long
> double), where __convert_from_v("%.01Lf") is used to print
> into a __builtin_alloca-ted temporary buffer; the second is in
> money_put::do_put(string), where a buffer is used when adding the
> grouping chars.
>
> Indeed, the testcase below segfaults if both of them are not fixed.

Uh-oh.  Fortunately very few programs are likely to be using these yet.
Otherwise we might have to make a security announcement.

> IMO, the former can be dealt with in full generality only by enlarging
> the buffer to the real maximum expected size of the printed string.
> The latter, luckily, is fixed much more easily, since, in fact, the
> actual size of the integer part is known at that point.

Seems you shouldn't need a separate staging buffer for the string version.
Maybe the code is simpler that way.

It think the patch got damaged by your mailer.

Nathan Myers
ncm at cantrip dot org

Follow-Ups:
- Re: [PATCH] Fix risks of buf overflow in money_put
  - From: Paolo Carlini

References:
- [PATCH] Fix risks of buf overflow in money_put
  - From: Paolo Carlini

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]