[
https://issues.apache.org/jira/browse/STDCXX-765?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Farid Zaripov updated STDCXX-765:
---------------------------------
Description:
The buf parameter of the _rw_fmtflags(), _rw_fmtevent() and _rw_fmtlc()
functions contains not NUL-terminated data. The length of data in buf is stored
in buf.endoff.
The rw_asnprintf() function accepts the only buf.pbuf and buf.pbufsize, but not
buf.endoff. When %{+} format is used, the length of data in buf calculated
using strlen() function, but this length is incorrect due to data is not
NUL-terminated.
Another bug is that _rw_fmtflags(), _rw_fmtevent() and _rw_fmtlc() functions
are returns len, but without updating the buf.endoff. Due to this the result of
rw_asnprintf() is cutted in further processing.
These problems are detected in 0.printf test after latest update.
The schematic patch without error checking is below. This patch is not intended
to apply. It's only shows how these bugs should be fixed.
{noformat}
Index: tests/src/fmt_bits.cpp
===================================================================
--- tests/src/fmt_bits.cpp (revision 637399)
+++ tests/src/fmt_bits.cpp (working copy)
@@ -204,9 +204,12 @@
#endif // _RWSTD_NO_EXT_BIN_IO
- len = rw_asnprintf (buf.pbuf, buf.pbufsize,
- "%{+} | %{?}std::ios::%{;}base(%d)",
- spec.fl_pound, base);
+ (*buf.pbuf) [buf.endoff] = '\0';
+ int res = rw_asnprintf (buf.pbuf, buf.pbufsize,
+ "%{+} | %{?}std::ios::%{;}base(%d)",
+ spec.fl_pound, base);
+ buf.endoff += res;
+ len += res;
}
return len;
@@ -303,9 +306,12 @@
: std::ios::erase_event == event ? "erase_event"
: 0;
- return rw_asnprintf (buf.pbuf, buf.pbufsize,
- "%{+}%{?}std::ios::%{;}%{?}%s%{:}event(%d)%{;}",
- spec.fl_pound, 0 != str, str, event);
+ (*buf.pbuf) [buf.endoff] = '\0';
+ int len = rw_asnprintf (buf.pbuf, buf.pbufsize,
+ "%{+}%{?}std::ios::%{;}%{?}%s%{:}event(%d)%{;}",
+ spec.fl_pound, 0 != str, str, event);
+ buf.endoff += len;
+ return len;
}
/********************************************************************/
@@ -329,8 +335,12 @@
}
- if (str)
- return rw_asnprintf (buf.pbuf, buf.pbufsize, "%{+}%s", str);
+ if (str) {
+ (*buf.pbuf) [buf.endoff] = '\0';
+ int len = rw_asnprintf (buf.pbuf, buf.pbufsize, "%{+}%s", str);
+ buf.endoff += len;
+ return len;
+ }
static const Bitnames names [] = {
BITNAME (std::locale, all),
{noformat}
was:
The buf parameter of the _rw_fmtflags(), _rw_fmtevent() and _rw_fmtlc()
functions contains not NUL-terminated data. The length of data in buf is stored
in buf.endoff.
The rw_asnprintf() function accepts the only buf.pbuf and buf.pbufsize, but not
buf.endoff. When %{+} format is used, the length of data in buf calculated
using strlen() function, but this length is incorrect due to data is not
NUL-terminated.
Another bug is that _rw_fmtflags(), _rw_fmtevent() and _rw_fmtlc() functions
are returns len, but without updating the buf.endoff. Due to this the result of
rw_asnprintf() is cutted in further processing.
These problems are detected in 0.printf test after lates update.
The schematic patch without error checking is below. This patch is not intended
to apply. Its only shows how these bugs should be fixed.
{noformat}
Index: tests/src/fmt_bits.cpp
===================================================================
--- tests/src/fmt_bits.cpp (revision 637399)
+++ tests/src/fmt_bits.cpp (working copy)
@@ -204,9 +204,12 @@
#endif // _RWSTD_NO_EXT_BIN_IO
- len = rw_asnprintf (buf.pbuf, buf.pbufsize,
- "%{+} | %{?}std::ios::%{;}base(%d)",
- spec.fl_pound, base);
+ (*buf.pbuf) [buf.endoff] = '\0';
+ int res = rw_asnprintf (buf.pbuf, buf.pbufsize,
+ "%{+} | %{?}std::ios::%{;}base(%d)",
+ spec.fl_pound, base);
+ buf.endoff += res;
+ len += res;
}
return len;
@@ -303,9 +306,12 @@
: std::ios::erase_event == event ? "erase_event"
: 0;
- return rw_asnprintf (buf.pbuf, buf.pbufsize,
- "%{+}%{?}std::ios::%{;}%{?}%s%{:}event(%d)%{;}",
- spec.fl_pound, 0 != str, str, event);
+ (*buf.pbuf) [buf.endoff] = '\0';
+ int len = rw_asnprintf (buf.pbuf, buf.pbufsize,
+ "%{+}%{?}std::ios::%{;}%{?}%s%{:}event(%d)%{;}",
+ spec.fl_pound, 0 != str, str, event);
+ buf.endoff += len;
+ return len;
}
/********************************************************************/
@@ -329,8 +335,12 @@
}
- if (str)
- return rw_asnprintf (buf.pbuf, buf.pbufsize, "%{+}%s", str);
+ if (str) {
+ (*buf.pbuf) [buf.endoff] = '\0';
+ int len = rw_asnprintf (buf.pbuf, buf.pbufsize, "%{+}%s", str);
+ buf.endoff += len;
+ return len;
+ }
static const Bitnames names [] = {
BITNAME (std::locale, all),
{noformat}
> Incorrect using rw_asnprintf() with %{+} format and not NUL-terminated
> buffer in _rw_fmtflags(), _rw_fmtevent(), _rw_fmtlc()
> -----------------------------------------------------------------------------------------------------------------------------
>
> Key: STDCXX-765
> URL: https://issues.apache.org/jira/browse/STDCXX-765
> Project: C++ Standard Library
> Issue Type: Bug
> Components: Test Driver
> Affects Versions: 4.2.0
> Environment: All
> Reporter: Farid Zaripov
> Fix For: 4.2.1
>
>
> The buf parameter of the _rw_fmtflags(), _rw_fmtevent() and _rw_fmtlc()
> functions contains not NUL-terminated data. The length of data in buf is
> stored in buf.endoff.
> The rw_asnprintf() function accepts the only buf.pbuf and buf.pbufsize, but
> not buf.endoff. When %{+} format is used, the length of data in buf
> calculated using strlen() function, but this length is incorrect due to data
> is not NUL-terminated.
> Another bug is that _rw_fmtflags(), _rw_fmtevent() and _rw_fmtlc() functions
> are returns len, but without updating the buf.endoff. Due to this the result
> of rw_asnprintf() is cutted in further processing.
> These problems are detected in 0.printf test after latest update.
> The schematic patch without error checking is below. This patch is not
> intended to apply. It's only shows how these bugs should be fixed.
> {noformat}
> Index: tests/src/fmt_bits.cpp
> ===================================================================
> --- tests/src/fmt_bits.cpp (revision 637399)
> +++ tests/src/fmt_bits.cpp (working copy)
> @@ -204,9 +204,12 @@
>
> #endif // _RWSTD_NO_EXT_BIN_IO
>
> - len = rw_asnprintf (buf.pbuf, buf.pbufsize,
> - "%{+} | %{?}std::ios::%{;}base(%d)",
> - spec.fl_pound, base);
> + (*buf.pbuf) [buf.endoff] = '\0';
> + int res = rw_asnprintf (buf.pbuf, buf.pbufsize,
> + "%{+} | %{?}std::ios::%{;}base(%d)",
> + spec.fl_pound, base);
> + buf.endoff += res;
> + len += res;
> }
>
> return len;
> @@ -303,9 +306,12 @@
> : std::ios::erase_event == event ? "erase_event"
> : 0;
>
> - return rw_asnprintf (buf.pbuf, buf.pbufsize,
> - "%{+}%{?}std::ios::%{;}%{?}%s%{:}event(%d)%{;}",
> - spec.fl_pound, 0 != str, str, event);
> + (*buf.pbuf) [buf.endoff] = '\0';
> + int len = rw_asnprintf (buf.pbuf, buf.pbufsize,
> + "%{+}%{?}std::ios::%{;}%{?}%s%{:}event(%d)%{;}",
> + spec.fl_pound, 0 != str, str, event);
> + buf.endoff += len;
> + return len;
> }
>
> /********************************************************************/
> @@ -329,8 +335,12 @@
>
> }
>
> - if (str)
> - return rw_asnprintf (buf.pbuf, buf.pbufsize, "%{+}%s", str);
> + if (str) {
> + (*buf.pbuf) [buf.endoff] = '\0';
> + int len = rw_asnprintf (buf.pbuf, buf.pbufsize, "%{+}%s", str);
> + buf.endoff += len;
> + return len;
> + }
>
> static const Bitnames names [] = {
> BITNAME (std::locale, all),
> {noformat}
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
