Boost C++ Libraries: Ticket #7745: text_iarchive crashes on invalid data https://svn.boost.org/trac10/ticket/7745 <p> Following code randomly trigger OOM if "in" parameter not starting with number. </p> <pre class="wiki">template &lt;typename Type&gt; void from_string(const std::string in, Type &amp;out) { std::stringstream ss(in); boost::archive::text_iarchive ia(ss); ia &gt;&gt; boost::serialization::make_nvp("obj", out); } </pre><p> This is linux box(gcc compiler and libstdc++) so real allocation starts in memset, not in new. Here is backtrace which cause it. </p> <pre class="wiki">#0 0x0000003a48c7a203 in memset () from /lib64/libc.so.6 #1 0x0000003fa449cce2 in std::basic_string&lt;char, std::char_traits&lt;char&gt;, std::allocator&lt;char&gt; &gt;::append(unsigned long, char) () from /usr/lib64/libstdc++.so.6 #2 0x00002aaaaab03b89 in resize (this=0x7fffffffe3a0, s="") at /usr/lib/gcc/x86_64-redhat-linux/4.1.2/../../../../include/c++/4.1.2/bits/basic_string.h:629 #3 boost::archive::text_iarchive_impl&lt;boost::archive::text_iarchive&gt;::load ( this=0x7fffffffe3a0, s="") at ./boost/archive/impl/text_iarchive_impl.ipp:55 #4 0x00002aaaaab03c44 in load_primitive&lt;boost::archive::text_iarchive, std::basic_string&lt;char, std::char_traits&lt;char&gt;, std::allocator&lt;char&gt; &gt; &gt; (this=0x2aab59734fb0) at ./boost/archive/detail/iserializer.hpp:107 #5 invoke&lt;std::basic_string&lt;char, std::char_traits&lt;char&gt;, std::allocator&lt;char&gt; &gt; &gt; ( this=0x2aab59734fb0) at ./boost/archive/detail/iserializer.hpp:338 #6 invoke&lt;std::basic_string&lt;char, std::char_traits&lt;char&gt;, std::allocator&lt;char&gt; &gt; &gt; ( this=0x2aab59734fb0) at ./boost/archive/detail/iserializer.hpp:415 #7 load&lt;boost::archive::text_iarchive, std::basic_string&lt;char, std::char_traits&lt;char&gt;, std::allocator&lt;char&gt; &gt; &gt; (this=0x2aab59734fb0) at ./boost/archive/detail/iserializer.hpp:554 #8 load_override&lt;std::basic_string&lt;char, std::char_traits&lt;char&gt;, std::allocator&lt;char&gt; &gt; &gt; ( this=0x2aab59734fb0) at ./boost/archive/detail/common_iarchive.hpp:61 #9 load_override&lt;std::basic_string&lt;char, std::char_traits&lt;char&gt;, std::allocator&lt;char&gt; &gt; &gt; ( this=0x2aab59734fb0) at ./boost/archive/basic_text_iarchive.hpp:62 #10 load_override&lt;std::basic_string&lt;char, std::char_traits&lt;char&gt;, std::allocator&lt;char&gt; &gt; &gt; ( this=0x2aab59734fb0) at ./boost/archive/text_iarchive.hpp:66 #11 operator&gt;&gt;&lt;std::basic_string&lt;char, std::char_traits&lt;char&gt;, std::allocator&lt;char&gt; &gt; &gt; ( this=0x2aab59734fb0) at ./boost/archive/detail/interface_iarchive.hpp:61 #12 boost::archive::basic_text_iarchive&lt;boost::archive::text_iarchive&gt;::init ( this=0x2aab59734fb0) at ./boost/archive/impl/basic_text_iarchive.ipp:50 #13 0x00002aaaaab03fb8 in boost::archive::text_iarchive_impl&lt;boost::archive::text_iarchive&gt;::text_iarchive_impl (this=0x7fffffffe3a0, is=&lt;value optimized out&gt;, flags=0) at ./boost/archive/impl/text_iarchive_impl.ipp:123 #14 0x000000000043fe16 in boost::archive::text_iarchive::text_iarchive (this=0x7fffffffe3a0, is_=..., flags=0) at /usr/include/boost/archive/text_iarchive.hpp:115 #15 0x0000000000440549 in from_string&lt;log_info_t&gt; </pre> en-us Boost C++ Libraries /htdocs/site/boost.png https://svn.boost.org/trac10/ticket/7745 Trac 1.4.3 ivagulin@… Wed, 28 Nov 2012 09:58:16 GMT component changed; cc, owner set https://svn.boost.org/trac10/ticket/7745#comment:1 https://svn.boost.org/trac10/ticket/7745#comment:1 <ul> <li><strong>cc</strong> <span class="trac-author">ivagulin@…</span> added </li> <li><strong>owner</strong> set to <span class="trac-author">Robert Ramey</span> </li> <li><strong>component</strong> <span class="trac-field-old">None</span> → <span class="trac-field-new">serialization</span> </li> </ul> Ticket ivagulin@… Wed, 28 Nov 2012 10:00:38 GMT attachment set https://svn.boost.org/trac10/ticket/7745 https://svn.boost.org/trac10/ticket/7745 <ul> <li><strong>attachment</strong> → <span class="trac-field-new">text-iarchive-crash.patch</span> </li> </ul> <p> attached patch fixes problem for me </p> Ticket anonymous Wed, 05 Dec 2012 23:18:25 GMT type changed https://svn.boost.org/trac10/ticket/7745#comment:2 https://svn.boost.org/trac10/ticket/7745#comment:2 <ul> <li><strong>type</strong> <span class="trac-field-old">Bugs</span> → <span class="trac-field-new">Patches</span> </li> </ul> Ticket Robert Ramey Wed, 12 Dec 2012 21:56:58 GMT <link>https://svn.boost.org/trac10/ticket/7745#comment:3 </link> <guid isPermaLink="false">https://svn.boost.org/trac10/ticket/7745#comment:3</guid> <description> <p> There should be no need to initialize the size variable. Perhaps the archive file was corrupted in some way. </p> <p> Robert Ramey </p> </description> <category>Ticket</category> </item> <item> <author>Igor Vagulin <ivagulin@…></author> <pubDate>Wed, 12 Dec 2012 22:28:48 GMT</pubDate> <title/> <link>https://svn.boost.org/trac10/ticket/7745#comment:4 </link> <guid isPermaLink="false">https://svn.boost.org/trac10/ticket/7745#comment:4</guid> <description> <p> Yes, archive was incorrect(it was "<strong>nonexistent-key</strong>", redis-cplusplus-client use it as mark of non existent key). I expect some kind of exception, but I get program which tries to allocate 2<strong>30 of ram. With my patch I get std::bad_alloc. I believe it is much better behaviour. </strong></p> <p> Maybe my explanations not very clear. Here what I get step by step: </p> <p> text_iarchive_impl&lt;Archive&gt;::load(std::string &amp;s){ </p> <blockquote> <p> std::size_t size; <em>here size set to some junk from stack, in my bad case it was -1 </em></p> </blockquote> <ul><li>this-&gt;This() &gt;&gt; size; <em>libstdc++, gcc4.4 didn't set size, it still ~2<strong>30 is.get(); s.resize(size); </strong></em><strong>allocation of size set to -1 ... </strong></li></ul><p> } </p> <p> Only downside of this patch I can imagine is mostly unneeded initialization of variable, but: </p> <ul><li>I wasn't able to measure it </li><li>Increase in stability outweight this in my opinion </li></ul> </description> <category>Ticket</category> </item> <item> <author>Igor Vagulin <ivagulin@…></author> <pubDate>Wed, 12 Dec 2012 22:33:54 GMT</pubDate> <title/> <link>https://svn.boost.org/trac10/ticket/7745#comment:5 </link> <guid isPermaLink="false">https://svn.boost.org/trac10/ticket/7745#comment:5</guid> <description> <p> Sorry for bad format, here it is properly formated. </p> <pre class="wiki">text_iarchive_impl&lt;Archive&gt;::load(std::string &amp;s){ std::size_t size; //here size set to some junk from stack, in my bad case it was -1 this-&gt;This() &gt;&gt; size; //libstdc++, gcc4.4 didn't set size, it still ~2**30 is.get(); s.resize(size); //allocation of size set to -1 ... } </pre> </description> <category>Ticket</category> </item> <item> <dc:creator>Robert Ramey</dc:creator> <pubDate>Thu, 13 Dec 2012 19:14:18 GMT</pubDate> <title>status changed; resolution set https://svn.boost.org/trac10/ticket/7745#comment:6 https://svn.boost.org/trac10/ticket/7745#comment:6 <ul> <li><strong>status</strong> <span class="trac-field-old">new</span> → <span class="trac-field-new">closed</span> </li> <li><strong>resolution</strong> → <span class="trac-field-new">invalid</span> </li> </ul> Ticket Igor Vagulin <ivagulin@…> Sun, 16 Dec 2012 00:35:12 GMT <link>https://svn.boost.org/trac10/ticket/7745#comment:7 </link> <guid isPermaLink="false">https://svn.boost.org/trac10/ticket/7745#comment:7</guid> <description> <p> Can you please provide rationale for bug invalidation. Is there any better way to check for archive validity other than trying to extract object from it? </p> </description> <category>Ticket</category> </item> </channel> </rss>