stdcxx-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Martin Sebor <se...@roguewave.com>
Subject Re: rw_match can address to memory after end of string buffer
Date Sun, 09 Jul 2006 22:58:51 GMT
Martin Sebor wrote:
> Martin Sebor wrote:
> 
>> Farid Zaripov wrote:
>>
>>>   I found that the rw_match function can address to the memory after 
>>> the end of the string buffer.
>>>
>>>   It calls __rw_get_char to get the last character and this function 
>>> reads a character after the end of the string buffer:
>>>
>>> char.cpp line 534:
>>>     if ('<' == char (ch) && 'U' == src [0] && isxdigit (src
[1])) {
>>>
>>> char.cpp line 548:
>>>     if ('@' == src [0] && isdigit (src [1])) {
>>>
>>>   src [0] - is the place of the fail.
>>
>>
>>
>> Hmm, that does look like a subtle bug in rw_match(). Let me look
>> into how best to fix it.

The commit below should fix it. I'm not 100% happy with the code
and suspect there might still be some bugs lurking in there but
if they are there the current test doesn't reveal them (even
under Sun dbx with memory checking on) and none of the string
tests is showing any signs of problems either.
http://svn.apache.org/viewvc?rev=420363&view=rev

Martin

Mime
View raw message