Boost C++ Libraries: Ticket #11536: string_ref::substr length overflow https://svn.boost.org/trac10/ticket/11536 <p> basic_string_ref::substr returns invalid object in some cases: </p> <div class="wiki-code"><div class="code"><pre><span class="n">string_ref</span> <span class="nf">s1</span><span class="p">(</span><span class="s">&quot;hello&quot;</span><span class="p">);</span> <span class="n">string_ref</span> <span class="n">s2</span> <span class="o">=</span> <span class="n">s1</span><span class="p">.</span><span class="n">substr</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="n">string_ref</span><span class="o">::</span><span class="n">npos</span> <span class="o">-</span> <span class="mi">1</span><span class="p">);</span> <span class="c1">// EXPECT s2.size() &lt;= s1.size()</span> </pre></div></div><p> version with overflow check: </p> <div class="wiki-code"><div class="code"><pre><span class="n">basic_string_ref</span> <span class="nf">substr</span><span class="p">(</span><span class="n">size_type</span> <span class="n">pos</span><span class="p">,</span> <span class="n">size_type</span> <span class="n">n</span><span class="o">=</span><span class="n">npos</span><span class="p">)</span> <span class="k">const</span> <span class="p">{</span> <span class="p">...</span> <span class="c1">// add overflow check: pos + n &lt; n</span> <span class="k">if</span> <span class="p">(</span> <span class="n">n</span> <span class="o">==</span> <span class="n">npos</span> <span class="o">||</span> <span class="n">pos</span> <span class="o">+</span> <span class="n">n</span> <span class="o">&gt;</span> <span class="n">size</span><span class="p">()</span> <span class="o">||</span> <span class="n">pos</span> <span class="o">+</span> <span class="n">n</span> <span class="o">&lt;</span> <span class="n">n</span> <span class="p">)</span> <span class="n">n</span> <span class="o">=</span> <span class="n">size</span> <span class="p">()</span> <span class="o">-</span> <span class="n">pos</span><span class="p">;</span> <span class="p">...</span> </pre></div></div> en-us Boost C++ Libraries /htdocs/site/boost.png https://svn.boost.org/trac10/ticket/11536 Trac 1.4.3 Marshall Clow Wed, 12 Aug 2015 17:23:50 GMT owner changed https://svn.boost.org/trac10/ticket/11536#comment:1 https://svn.boost.org/trac10/ticket/11536#comment:1 <ul> <li><strong>owner</strong> changed from <span class="trac-author">No-Maintainer</span> to <span class="trac-author">Marshall Clow</span> </li> </ul> <p> Ok, that's obscure. :-) thanks for the bug report. </p> <p> Beman has done a bunch of work on string_ref, and after the 1.59.0 release, I will be integrating his changes. I'll make sure that this gets fixed then. </p> Ticket Marshall Clow Mon, 13 Feb 2017 18:49:52 GMT status changed; resolution set https://svn.boost.org/trac10/ticket/11536#comment:2 https://svn.boost.org/trac10/ticket/11536#comment:2 <ul> <li><strong>status</strong> <span class="trac-field-old">new</span> → <span class="trac-field-new">closed</span> </li> <li><strong>resolution</strong> → <span class="trac-field-new">fixed</span> </li> </ul> <p> Better change: </p> <blockquote> <p> return basic_string_ref(data() + pos, (std::min)(size() - pos, n)); </p> </blockquote> <p> No worries about over/underflow on <code>n</code>, because we never do arithmetic on it. </p> <p> No worries about over/underflow on <code>size() - pos</code>, because we know that <code>size() &gt;= pos</code>. </p> <p> Committed as: 0876da4 </p> Ticket