[libcxx] Don't deallocate non-pointer data in string assignment. (#67200)

jyknight · copybara-github · commit 645470002f05 · 2023-09-24T06:20:12.000-07:00
Previously, assignment to a std::basic_string type with a _custom_
allocator could under certain conditions attempt to interpret part of
the target string's "short" string-content as if it was a "long" data
pointer, and attempt to deallocate a garbage value.

This is a serious bug, but code in which it might happen is rare. It
required:

1. the basic_string must be using a custom allocator type which sets the
propagate_on_container_copy_assignment trait to true (thus, it does not
affect the default allocator, nor most custom allocators).
2. the allocator for the target string must compare not equal to the
allocator for the source string (many allocators always compare equal).
3. the source of the copy must currently contain a "long" string, and
the assignment-target must currently contain a "short" string.

Finally, the issue would've typically been innocuous when the bytes
misinterpreted as a pointer were all zero, as deallocating a nullptr is
typically a no-op. This is why existing test cases did not exhibit an
issue: they were all zero-length strings, which do not have data in the
bytes interpreted as a pointer.
NOKEYCHECK=True
GitOrigin-RevId: b0e19cfb6205d7cf36aa0fc3cb395205f7dc36ba
diff --git a/include/string b/include/string
@@ -1969,7 +1969,8 @@ private:
                     allocator_type __a = __str.__alloc();
                     auto __allocation = std::__allocate_at_least(__a, __str.__get_long_cap());
                     __begin_lifetime(__allocation.ptr, __allocation.count);
-                    __alloc_traits::deallocate(__alloc(), __get_long_pointer(), __get_long_cap());
+                    if (__is_long())
+                        __alloc_traits::deallocate(__alloc(), __get_long_pointer(), __get_long_cap());
                     __alloc() = std::move(__a);
                     __set_long_pointer(__allocation.ptr);
                     __set_long_cap(__allocation.count);
diff --git a/test/std/strings/basic.string/string.modifiers/string_assign/string.pass.cpp b/test/std/strings/basic.string/string.modifiers/string_assign/string.pass.cpp
@@ -90,6 +90,7 @@ TEST_CONSTEXPR_CXX20 bool test() {
     testAlloc(S(A(5)), S("1"), A());
     testAlloc(S(A(5)), S("1", A(7)), A(7));
     testAlloc(S(A(5)), S("1234567890123456789012345678901234567890123456789012345678901234567890", A(7)), A(7));
+    testAlloc(S("12345678901234567890", A(5)), S("1234567890123456789012345678901234567890123456789012345678901234567890", A(7)), A(7));
   }
 
 #if TEST_STD_VER >= 11

Original file line number	Diff line number	Diff line change
`@@ -90,6 +90,7 @@ TEST_CONSTEXPR_CXX20 bool test() {`
`90`	`90`	`testAlloc(S(A(5)), S("1"), A());`
`91`	`91`	`testAlloc(S(A(5)), S("1", A(7)), A(7));`
`92`	`92`	`testAlloc(S(A(5)), S("1234567890123456789012345678901234567890123456789012345678901234567890", A(7)), A(7));`
	`93`	`+ testAlloc(S("12345678901234567890", A(5)), S("1234567890123456789012345678901234567890123456789012345678901234567890", A(7)), A(7));`
`93`	`94`	`}`
`94`	`95`
`95`	`96`	`#if TEST_STD_VER >= 11`