fastfloat / fast_float

Fast and exact implementation of the C++ from_chars functions for number types: 4x to 10x faster than strtod, part of GCC 12, Chromium, Redis and WebKit/Safari
Apache License 2.0
1.54k stars 132 forks source link

Buffer overflow in parse_int_string #235

Closed ergpudb closed 9 months ago

ergpudb commented 9 months ago

When using fast_float::from_chars for an integer type, address sanitizer detects a heap buffer overflow when the string being parsed is "0". It does not seem to occur for a string of "1" or other values I've tried. (It looks like it's in "skip past leading 0's" code.)

    // Note: using vector to force exact heap allocation
    std::vector<char> s = {'0'};
    int foo;
    fast_float::from_chars(s.data(), s.data() + s.size(), foo);

Gives:

==731531==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000013951 at pc 0x5ce60f39ba08 bp 0x7ffc5ff31c30 sp 0x7ffc5ff31c20
READ of size 1 at 0x602000013951 thread T0
    #0 0x5ce60f39ba07 in fast_float::from_chars_result_t<char> fast_float::parse_int_string<int, char>(char const*, char const*, int&, int) /include/fast_float/ascii_number.h:466
    #1 0x5ce60f39ba07 in fast_float::from_chars_result_t<char> fast_float::from_chars<int, char, int>(char const*, char const*, int&, int) /include/fast_float/parse_number.h:250
    #2 0x5ce60f39ba07 in main

0x602000013951 is located 0 bytes to the right of 1-byte region [0x602000013950,0x602000013951)
allocated by thread T0 here:
    #0 0x73c0c8eb61e7 in operator new(unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cpp:99
    #1 0x5ce60f39b434 in __gnu_cxx::new_allocator<char>::allocate(unsigned long, void const*) /usr/include/c++/11/ext/new_allocator.h:127
    #2 0x5ce60f39b434 in std::allocator_traits<std::allocator<char> >::allocate(std::allocator<char>&, unsigned long) /usr/include/c++/11/bits/alloc_traits.h:464
    #3 0x5ce60f39b434 in std::_Vector_base<char, std::allocator<char> >::_M_allocate(unsigned long) /usr/include/c++/11/bits/stl_vector.h:346
    #4 0x5ce60f39b434 in void std::vector<char, std::allocator<char> >::_M_range_initialize<char const*>(char const*, char const*, std::forward_iterator_tag) /usr/include/c++/11/bits/stl_vector.h:1582
    #5 0x5ce60f39b434 in std::vector<char, std::allocator<char> >::vector(std::initializer_list<char>, std::allocator<char> const&) /usr/include/c++/11/bits/stl_vector.h:629
    #6 0x5ce60f39b434 in main

fast_float 6.0.0 / gcc 11.4 / Ubuntu 22.04

lemire commented 9 months ago

Verified.