https://gcc.gnu.org/bugzilla/show_bug.cgi?id=89629
Bug ID: 89629 Summary: std::hash<std::string> segfault for long strings Product: gcc Version: 8.3.0 Status: UNCONFIRMED Severity: normal Priority: P3 Component: libstdc++ Assignee: unassigned at gcc dot gnu.org Reporter: dan at stahlke dot org Target Milestone: --- _Hash_bytes crashes when len is 2^31 or greater. The length is converted to int at hash_bytes.cc line 142, resulting in a negative number if the length doesn't fit in an int variable. Then end < buf resulting in an infinite loop that eventually runs into inaccessible memory. #include <unordered_set> #include <string> #include <iostream> int main() { size_t big = size_t(1) << 31; std::cout << "line " << __LINE__ << std::endl; // this succeeds std::hash<std::string>{}(std::string(big - 1, 'a')); std::cout << "line " << __LINE__ << std::endl; // segfault at libstdc++-v3/libsupc++/hash_bytes.cc:147 std::hash<std::string>{}(std::string(big, 'a')); std::cout << "line " << __LINE__ << std::endl; }