Subject: [Boost-bugs] [Boost C++ Libraries] #13579: memory management in algorithm::is_any_of
From: Boost C++ Libraries (noreply_at_[hidden])
Date: 2018-05-29 10:29:02
#13579: memory management in algorithm::is_any_of
------------------------------+-------------------------
Reporter: anonymous | Owner: (none)
Type: Bugs | Status: new
Milestone: To Be Determined | Component: None
Version: Boost 1.63.0 | Severity: Showstopper
Keywords: |
------------------------------+-------------------------
In boost/algorithm/string/detail/classification.hpp, is_any_ofF contains a
fixed buffer
''
{{{
set_value_type m_fixSet[sizeof(set_value_type*)*2];
}}}
This buffer is used for storage when the following predicate holds:
{{{
static bool use_fixed_storage(std::size_t size)
{
return size<=sizeof(set_value_type*)*2;
}
}}}
Note that as the RHS of the inequality is measured in bytes, the argument
''size'' should also be measured in bytes. However, a typical use is as
follows:
{{{
std::size_t Size=::boost::distance(Range);
m_Size=Size;
if(use_fixed_storage(m_Size))
}}}
boost::distance does not return a value in bytes; it returns the length of
a sequence. It's quite possible for e.g. a sequence of length 2 to occupy
16 bytes.
This results in reads past the end of m_fixSet, and consequent segfaults.
-- Ticket URL: <https://svn.boost.org/trac10/ticket/13579> Boost C++ Libraries <http://www.boost.org/> Boost provides free peer-reviewed portable C++ source libraries.
This archive was generated by hypermail 2.1.7 : 2018-05-29 10:33:38 UTC