[Bug libstdc++/105857] codecvt::do_length causes unexpected buffer overflow

Tue, 26 Nov 2024 08:01:40 -0800 

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105857

--- Comment #10 from Jonathan Wakely <redi at gcc dot gnu.org> ---
(In reply to andysem from comment #0)
> The problem appears to be that std::codecvt< wchar_t, char, std::mbstate_t
> >::do_length() accesses characters outside the [s, s + max_size) range,

I'm pretty sure it doesn't.

> apparently using the ~static_cast< std::size_t >(0u) as the size limit.

That's the maximum number of output characters to write to the output buffer,
it should have no effect on the number of characters read from the input
buffer. If it does, that's a glibc bug because libstdc++ just calls mbsnrtowcs:

        size_t __conv = mbsnrtowcs(__to, &__from,
                                   __from_chunk_end - __from,
                                   __max, &__state);

> That is, max is only referred to as the size of the potential output buffer,
> and the source buffer is specified as [from, from_end).

Again, if there's an access outside that range, it's a bug in glibc's
mbsnrtowcs.

The problem is that the output range is a buffer obtained from alloca:

    // A dummy internal buffer is needed in order for mbsnrtocws to consider
    // its fourth parameter (it wouldn't with NULL as first parameter).
    wchar_t* __to = static_cast<wchar_t*>(__builtin_alloca(sizeof(wchar_t)
                                                           * __max));

For your program, that multiplication is going to wrap and give a value smaller
than __max.

The fortified mbsnrtowcs has:

size_t
__mbsnrtowcs_chk (wchar_t *dst, const char **src, size_t nmc, size_t len,
                  mbstate_t *ps, size_t dstlen)
{
  if (__glibc_unlikely (dstlen < len))
    __chk_fail ();

So this check is noticing that the size of the alloca'd buffer (destlen) is
smaller than the size passed in (len).


> There is no
> requirement for max to be within [from, from_end) bounds. If I change max to
> (sizeof(text) - 1u) then the buffer overflow does not happen.

There's no overflow. It's a fortify check saying "you told me the buffer is
size N but it's actually smaller than that". Nothing ever accesses outside any
buffer.

But when __max is small, the alloca(sizeof(wchar_t) * __max) calculation
doesn't wrap and so the buffer size matches.

Reply via email to