Opened 4 years ago
Last modified 4 years ago
#13579 new Bugs
memory management in algorithm::is_any_of
| Reported by: | anonymous | Owned by: | Marshall Clow |
|---|---|---|---|
| Milestone: | To Be Determined | Component: | string_algo |
| Version: | Boost 1.63.0 | Severity: | Showstopper |
| Keywords: | Cc: |
Description
In boost/algorithm/string/detail/classification.hpp, is_any_ofF contains a fixed buffer
set_value_type m_fixSet[sizeof(set_value_type*)*2];
This buffer is used for storage when the following predicate holds:
static bool use_fixed_storage(std::size_t size)
{
return size<=sizeof(set_value_type*)*2;
}
Note that as the RHS of the inequality is measured in bytes, the argument size should also be measured in bytes. However, a typical use is as follows:
std::size_t Size=::boost::distance(Range); m_Size=Size; if(use_fixed_storage(m_Size))
boost::distance does not return a value in bytes; it returns the length of a sequence. It's quite possible for e.g. a sequence of length 2 to occupy 16 bytes.
This results in reads past the end of m_fixSet, and consequent segfaults.
Change History (2)
comment:1 by , 4 years ago
| Component: | None → string_algo |
|---|---|
| Owner: | set to |
comment:2 by , 4 years ago
Note:
See TracTickets
for help on using tickets.
I agree that something there is suspicious. The size of
m_fixSetis really strange.