Opened 7 years ago
Closed 6 years ago
#11536 closed Bugs (fixed)
string_ref::substr length overflow
| Reported by: | Owned by: | Marshall Clow | |
|---|---|---|---|
| Milestone: | To Be Determined | Component: | utility |
| Version: | Severity: | Problem | |
| Keywords: | Cc: |
Description
basic_string_ref::substr returns invalid object in some cases:
string_ref s1("hello"); string_ref s2 = s1.substr(0, string_ref::npos - 1); // EXPECT s2.size() <= s1.size()
version with overflow check:
basic_string_ref substr(size_type pos, size_type n=npos) const { ... // add overflow check: pos + n < n if ( n == npos || pos + n > size() || pos + n < n ) n = size () - pos; ...
Change History (2)
comment:1 by , 7 years ago
| Owner: | changed from to |
|---|
comment:2 by , 6 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Better change:
return basic_string_ref(data() + pos, (std::min)(size() - pos, n));
No worries about over/underflow on n, because we never do arithmetic on it.
No worries about over/underflow on size() - pos, because we know that size() >= pos.
Committed as: 0876da4
Note:
See TracTickets
for help on using tickets.
Ok, that's obscure. :-) thanks for the bug report.
Beman has done a bunch of work on string_ref, and after the 1.59.0 release, I will be integrating his changes. I'll make sure that this gets fixed then.