Boost C++ Libraries: Ticket #12915: Buffer overflow in boost::container::vector (affects flat_set)

attachment set

mykmartin@… — Mon, 20 Mar 2017 04:48:01 GMT

attachment → overflow.cc

mykmartin@… — Sun, 26 Mar 2017 22:57:46 GMT

Minor correction: the assert to show the problem should use <=:

assert(boost::uintptr_t(position) + sizeof(size_type) <= capaddr);

fdegros@… — Tue, 25 Jul 2017 01:10:22 GMT

Ping? Any progress on this ticket? The diagnosis and fix have been provided by the original reporter. Is the fix making its way into new releases of Boost Containers?

cc set

Wed, 26 Jul 2017 01:14:21 GMT

cc fdegros@… added

karl.tarbe@… — Wed, 20 Jun 2018 09:09:44 GMT

I might have also run into this. Why is this bug still new?

Ion Gaztañaga — Tue, 26 Jun 2018 21:26:42 GMT

vector's merge implementation was rewritten some releases ago. Provided overflow.cc correctly works under current develop branch with gcc with ASAN+UBSAN.

attachment set

karl.tarbe@… — Tue, 26 Jun 2018 22:58:06 GMT

attachment → test.cpp

When run with valgrind: invalid write of size 8

attachment set

karl.tarbe@… — Tue, 26 Jun 2018 23:07:05 GMT

attachment → log

Log of valgrind output

karl.tarbe@… — Tue, 26 Jun 2018 23:10:15 GMT

I have attached test.cpp and log of valgrind output on it.

I am using Arch linux with boost 1.67.0-4 and gcc 8.1.1+20180531-1

This might be a separate bug, but I am not sure.

Ion Gaztañaga — Wed, 27 Jun 2018 12:22:11 GMT

Thanks for the new test case, it's a separate bug, working on it.

Ion Gaztañaga — Wed, 27 Jun 2018 21:28:10 GMT

Looks like the following commit:

https://github.com/boostorg/move/commit/ddeb2341271583d25a0a9974d339b519b8e18dc9

fixes the issue. Will be released in 1.68.

karl.tarbe@… — Thu, 28 Jun 2018 07:47:35 GMT

Thank you for quickly addressing the issue.

karl.tarbe@… — Thu, 28 Jun 2018 09:49:40 GMT

I have one follow-up question. Which Boost versions are affected by this (the one I provided the test case for) bug.

So I can use BOOST_VERSION to switch between workaround (insert one-by-one) and the faster method.

Ion Gaztañaga — Thu, 28 Jun 2018 21:03:14 GMT

There were other bugs related to this in Boost 1.67, so I would say soon to be released version 1.68 will be safe.

status changed; resolution set

Ion Gaztañaga — Mon, 31 Dec 2018 17:26:22 GMT

status new → closed
resolution → fixed

Closing the bug.