https://gcc.gnu.org/bugzilla/show_bug.cgi?id=104966
--- Comment #10 from CVS Commits <cvs-commit at gcc dot gnu.org> --- The releases/gcc-11 branch has been updated by Jonathan Wakely <r...@gcc.gnu.org>: https://gcc.gnu.org/g:3859a3cb9b997fb8d9134180b8cc68f040dd36f5 commit r11-9900-g3859a3cb9b997fb8d9134180b8cc68f040dd36f5 Author: Jonathan Wakely <jwak...@redhat.com> Date: Thu Mar 17 13:33:07 2022 +0000 libstdc++: Fix warning in __moneypunct_cache::_M_cache [PR104966] GCC thinks the following can lead to a buffer overflow when __ns.size() equals zero: const basic_string<_CharT>& __ns = __mp.negative_sign(); _M_negative_sign_size = __ns.size(); __negative_sign = new _CharT[_M_negative_sign_size]; __ns.copy(__negative_sign, _M_negative_sign_size); This happens because operator new might be replaced with something that writes to this->_M_negative_sign_size and so the basic_string::copy call could use a non-zero size to write to a zero-length buffer. The solution suggested by Richi is to cache the size in a local variable so that the compiler knows it won't be changed between the allocation and the copy. libstdc++-v3/ChangeLog: PR middle-end/104966 * include/bits/locale_facets_nonio.tcc (__moneypunct_cache::_M_cache): Store string sizes in local variable that doesn't escape.
