[llvm-bugs] [Bug 143684] [libc++] Out-of-bounds read in `std::bitset` constructor from `char*`

LLVM Bugs via llvm-bugs Wed, 11 Jun 2025 04:08:44 -0700

Issue	143684
Summary	[libc++] Out-of-bounds read in `std::bitset` constructor from `char*`
Labels	libc++
Assignees
Reporter	Eisenwave

    https://github.com/llvm/llvm-project/blob/40cc7b4578fd2d65aaef8356fbe7caf2d84a8f3e/libcxx/include/bitset#L645-L658


This constructor is incorrectly implemented, leading to out-of-bounds reads on the given `__str`.

```cpp
std::min(__n, char_traits<_CharT>::length(__str));
```
Will unconditionally call `::length`, even if a size was explicitly specified, and if the string is not null-terminated (it doesn't have to be), `length` goes past the end of `__str`.

The implementation described in [[bitset.cons]](https://eel.is/c++draft/bitset.cons) is:
```cpp
bitset(n == basic_string_view<charT>::npos
          ? basic_string_view<charT>(str)
 : basic_string_view<charT>(str, n),
       0, n, zero, one)
```
This will only try to search for a null terminator if `n == npos`, but libc++ implements no such short-circuiting.

_______________________________________________
llvm-bugs mailing list
llvm-bugs@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-bugs

[llvm-bugs] [Bug 143684] [libc++] Out-of-bounds read in `std::bitset` constructor from `char*`

Reply via email to