Subject: [Boost-bugs] [Boost C++ Libraries] #2521: date_time exceeds array bounds in special_value_from_string
From: Boost C++ Libraries (noreply_at_[hidden])
Date: 2008-11-21 02:06:49
#2521: date_time exceeds array bounds in special_value_from_string
--------------------------------------------------+-------------------------
Reporter: Brad Spencer <spencer_at_[hidden]> | Owner: az_sw_dude
Type: Bugs | Status: new
Milestone: Boost 1.38.0 | Component: date_time
Version: Boost 1.37.0 | Severity: Problem
Keywords: |
--------------------------------------------------+-------------------------
gcc-4.3.2 found this with its new -Warray-bounds feature. It took a few
minutes to track down even with the compiler pointing in the right
direction:
In
https://svn.boost.org/trac/boost/browser/trunk/libs/date_time/src/gregorian/greg_month.cpp#L76
an array called special_value_names (defined in
https://svn.boost.org/trac/boost/browser/trunk/libs/date_time/src/gregorian/greg_names.hpp#L22
) is passed into the function find_match() as array to search.
The enumeration constant date_time::NumSpecialValues (defined in
https://svn.boost.org/trac/boost/browser/trunk/boost/date_time/special_defs.hpp#L15
) is passed to find_match() as the "limit" argument.
The find_match() function (defined in
https://svn.boost.org/trac/boost/browser/trunk/boost/date_time/date_parsing.hpp#L76
) uses "limit" as an "up to and including" bounds on its for() loop for
iterating over the array(s).
However, the NumSpecialValues enumeration member has a value of 6 (it
follows the 6 valid enum values), and the special_value_names contains
only 6 strings (corresponding to those 6 valid enum values). Because
find_match() goes "up to and including" its limit, in this instance it can
go off the end of the special_value_names array.
The documentation on find_match() is ambiguous as to whether or not the
"limit" index itself is intended to be referenced, but it is very explicit
that date_time::NumSpecialValues is supposed to be a valid argument for
limit. This would seem to imply that the for() loop condition is wrong,
except that all the other uses of find_match() use a constrained_value
with a max() value that is the maximum desired value.
I think the best conclusion here is that passing a "count"-type value
(NumSpecialValues) for a "max"-type value (the more ambiguously named
"limit") is incorrect. Thus, the attached patch.
-- Ticket URL: <https://svn.boost.org/trac/boost/ticket/2521> Boost C++ Libraries <http://www.boost.org/> Boost provides free peer-reviewed portable C++ source libraries.
This archive was generated by hypermail 2.1.7 : 2017-02-16 18:49:59 UTC