[gcc(refs/users/meissner/heads/work008b)] libstdc++: Adjust overflow prevention to operator>>

Michael Meissner meissner@gcc.gnu.org
Thu Aug 6 17:58:49 GMT 2020


https://gcc.gnu.org/g:6251ea15f55ec57d6325c2e37e88b22315aba658

commit 6251ea15f55ec57d6325c2e37e88b22315aba658
Author: Jonathan Wakely <jwakely@redhat.com>
Date:   Thu Aug 6 16:16:33 2020 +0100

    libstdc++: Adjust overflow prevention to operator>>
    
    This adjusts the overflow prevention added to operator>> so that we can
    distinguish "unknown size" from "zero size", and avoid writing anything
    at all in to zero sized buffers.
    
    This also removes the incorrect comment saying extraction stops at a
    null byte.
    
    libstdc++-v3/ChangeLog:
    
            * include/std/istream (operator>>(istream&, char*)): Add
            attributes to get warnings for pointers that are null or known
            to point to the end of a buffer. Request upper bound from
            __builtin_object_size check and handle zero-sized buffer case.
            (operator>>(istream&, signed char))
            (operator>>(istream&, unsigned char*)): Add attributes.
            * testsuite/27_io/basic_istream/extractors_character/char/overflow.cc:
            Check extracting into the middle of a buffer.
            * testsuite/27_io/basic_istream/extractors_character/wchar_t/overflow.cc: New test.

Diff:
---
 libstdc++-v3/include/std/istream                   | 26 +++++++---
 .../extractors_character/char/overflow.cc          | 21 ++++++--
 .../extractors_character/wchar_t/overflow.cc       | 57 ++++++++++++++++++++++
 3 files changed, 94 insertions(+), 10 deletions(-)

diff --git a/libstdc++-v3/include/std/istream b/libstdc++-v3/include/std/istream
index cb8e9f87c90..20a455a0ef1 100644
--- a/libstdc++-v3/include/std/istream
+++ b/libstdc++-v3/include/std/istream
@@ -790,7 +790,6 @@ _GLIBCXX_BEGIN_NAMESPACE_VERSION
    *  - `n - 1` characters are stored
    *  - EOF is reached
    *  - the next character is whitespace according to the current locale
-   *  - the next character is a null byte (i.e., `charT()`)
    *
    *  `width(0)` is then called for the input stream.
    *
@@ -799,25 +798,38 @@ _GLIBCXX_BEGIN_NAMESPACE_VERSION
 
 #if __cplusplus <= 201703L
   template<typename _CharT, typename _Traits>
+    __attribute__((__nonnull__(2), __access__(__write_only__, 2)))
     inline basic_istream<_CharT, _Traits>&
     operator>>(basic_istream<_CharT, _Traits>& __in, _CharT* __s)
     {
-      streamsize __n = __builtin_object_size(__s, 2) / sizeof(_CharT);
-      if (__n == 0)
-	__n = __gnu_cxx::__numeric_traits<streamsize>::__max / sizeof(_CharT);
-      std::__istream_extract(__in, __s, __n);
+      size_t __n = __builtin_object_size(__s, 0);
+      if (__builtin_expect(__n < sizeof(_CharT), false))
+	{
+	  // There is not even space for the required null terminator.
+	  __glibcxx_assert(__n >= sizeof(_CharT));
+	  __in.width(0);
+	  __in.setstate(ios_base::failbit);
+	}
+      else
+	{
+	  if (__n == (size_t)-1)
+	    __n = __gnu_cxx::__numeric_traits<streamsize>::__max;
+	  std::__istream_extract(__in, __s, __n / sizeof(_CharT));
+	}
       return __in;
     }
 
   template<class _Traits>
+    __attribute__((__nonnull__(2), __access__(__write_only__, 2)))
     inline basic_istream<char, _Traits>&
     operator>>(basic_istream<char, _Traits>& __in, unsigned char* __s)
-    { return (__in >> reinterpret_cast<char*>(__s)); }
+    { return __in >> reinterpret_cast<char*>(__s); }
 
   template<class _Traits>
+    __attribute__((__nonnull__(2), __access__(__write_only__, 2)))
     inline basic_istream<char, _Traits>&
     operator>>(basic_istream<char, _Traits>& __in, signed char* __s)
-    { return (__in >> reinterpret_cast<char*>(__s)); }
+    { return __in >> reinterpret_cast<char*>(__s); }
 #else
   // _GLIBCXX_RESOLVE_LIB_DEFECTS
   // 2499. operator>>(istream&, char*) makes it hard to avoid buffer overflows
diff --git a/libstdc++-v3/testsuite/27_io/basic_istream/extractors_character/char/overflow.cc b/libstdc++-v3/testsuite/27_io/basic_istream/extractors_character/char/overflow.cc
index 1141a41b208..abbba8bb09b 100644
--- a/libstdc++-v3/testsuite/27_io/basic_istream/extractors_character/char/overflow.cc
+++ b/libstdc++-v3/testsuite/27_io/basic_istream/extractors_character/char/overflow.cc
@@ -15,14 +15,14 @@
 // with this library; see the file COPYING3.  If not see
 // <http://www.gnu.org/licenses/>.
 
-// { dg-options "-O2 -std=gnu++98" }
+// { dg-options "-O2" }
 // { dg-do run }
 
 // This test checks that operator>> will avoid a buffer overflow when
 // reading into a buffer with a size that is known at compile time.
 
 // Since C++20 this is guaranteed (see LWG 2499), for previous standards
-// we try to check the buffer size as an extension (which depends on -O2).
+// checking the buffer size is an extension and depends on optimisation.
 
 #include <sstream>
 #include <testsuite_hooks.h>
@@ -30,11 +30,24 @@
 void
 test01()
 {
-  std::istringstream in("foolish child");
+  std::istringstream in("foolishly");
   char pc[5];
   in >> pc;
   VERIFY( in.good() );
   VERIFY( std::string(pc) == "fool" );
+
+#if __cplusplus <= 201703L
+  char* p = pc + 1;
+  in >> p;
+  VERIFY( in.good() );
+  VERIFY( std::string(pc) == "fish" );
+
+  p = pc + 4;
+  *p = '#';
+  in >> p;
+  VERIFY( in.fail() ); // if no characters are extracted, failbit is set
+  VERIFY( *p == '\0' );
+#endif
 }
 
 void
@@ -61,4 +74,6 @@ int
 main()
 {
   test01();
+  test02();
+  test03();
 }
diff --git a/libstdc++-v3/testsuite/27_io/basic_istream/extractors_character/wchar_t/overflow.cc b/libstdc++-v3/testsuite/27_io/basic_istream/extractors_character/wchar_t/overflow.cc
new file mode 100644
index 00000000000..6a23f1305a3
--- /dev/null
+++ b/libstdc++-v3/testsuite/27_io/basic_istream/extractors_character/wchar_t/overflow.cc
@@ -0,0 +1,57 @@
+// Copyright (C) 2020 Free Software Foundation, Inc.
+//
+// This file is part of the GNU ISO C++ Library.  This library is free
+// software; you can redistribute it and/or modify it under the
+// terms of the GNU General Public License as published by the
+// Free Software Foundation; either version 3, or (at your option)
+// any later version.
+
+// This library is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+
+// You should have received a copy of the GNU General Public License along
+// with this library; see the file COPYING3.  If not see
+// <http://www.gnu.org/licenses/>.
+
+// { dg-options "-O2" }
+// { dg-do run }
+
+// This test checks that operator>> will avoid a buffer overflow when
+// reading into a buffer with a size that is known at compile time.
+
+// Since C++20 this is guaranteed (see LWG 2499), for previous standards
+// checking the buffer size is an extension and depends on optimisation.
+
+#include <sstream>
+#include <testsuite_hooks.h>
+
+void
+test01()
+{
+  std::wistringstream in(L"foolishly");
+  wchar_t pc[5];
+  in >> pc;
+  VERIFY( in.good() );
+  VERIFY( std::wstring(pc) == L"fool" );
+
+#if __cplusplus <= 201703L
+  wchar_t* p = pc + 1;
+  in >> p;
+  VERIFY( in.good() );
+  VERIFY( std::wstring(pc) == L"fish" );
+
+  p = pc + 4;
+  *p = L'#';
+  in >> p;
+  VERIFY( in.fail() ); // if no characters are extracted, failbit is set
+  VERIFY( *p == L'\0' );
+#endif
+}
+
+int
+main()
+{
+  test01();
+}


More information about the Gcc-cvs mailing list