Boost C++ Libraries: Ticket #13590: Bug in executor::_read_error leads to bad string allocation exception https://svn.boost.org/trac10/ticket/13590 <p> Method executor::_read_error contains various weaknesses which can lead to string allocation with excessive length, causing exceptions at string construction or out-of-memory issues. </p> <p> The most severe issue caused by the fact that the method is not prepared for reading fragments from the pipe. As the pipe is not created with O_DIRECT, data can be fragmented. In fact, we observed that ::read returned just 4 bytes, although _write_error is writing 8 bytes. This leaves the second entry of the data<a class="changeset" href="https://svn.boost.org/trac10/changeset/2" title="Add Boost Disclaimer">[2]</a> array uninitialized(!!), which is afterwards - without any check! - passed directly to the string creation: </p> <blockquote> <p> std::string msg(data<a class="changeset" href="https://svn.boost.org/trac10/changeset/1" title="Import core sources for SVNmanger 0.38 ">[1]</a>, ' '); --&gt; crash as data<a class="changeset" href="https://svn.boost.org/trac10/changeset/1" title="Import core sources for SVNmanger 0.38 ">[1]</a> contains random value </p> </blockquote> <p> Also the second part of the function, which reads the error message text, is not prepared for reading fragmented data. </p> <p> Patched code that works well here can be found attached. </p> en-us Boost C++ Libraries /htdocs/site/boost.png https://svn.boost.org/trac10/ticket/13590 Trac 1.4.3 Elmar Daegele <elmar.daegele@…> Mon, 11 Jun 2018 09:16:57 GMT attachment set https://svn.boost.org/trac10/ticket/13590 https://svn.boost.org/trac10/ticket/13590 <ul> <li><strong>attachment</strong> → <span class="trac-field-new">executor.hpp</span> </li> </ul> Ticket