https://gcc.gnu.org/bugzilla/show_bug.cgi?id=89629
Bug ID: 89629
Summary: std::hash<std::string> segfault for long strings
Product: gcc
Version: 8.3.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: libstdc++
Assignee: unassigned at gcc dot gnu.org
Reporter: dan at stahlke dot org
Target Milestone: ---
_Hash_bytes crashes when len is 2^31 or greater. The length is converted to
int at hash_bytes.cc line 142, resulting in a negative number if the length
doesn't fit in an int variable. Then end < buf resulting in an infinite loop
that eventually runs into inaccessible memory.
#include <unordered_set>
#include <string>
#include <iostream>
int main() {
size_t big = size_t(1) << 31;
std::cout << "line " << __LINE__ << std::endl;
// this succeeds
std::hash<std::string>{}(std::string(big - 1, 'a'));
std::cout << "line " << __LINE__ << std::endl;
// segfault at libstdc++-v3/libsupc++/hash_bytes.cc:147
std::hash<std::string>{}(std::string(big, 'a'));
std::cout << "line " << __LINE__ << std::endl;
}
