<format>: crash when formatting a floating-point value with `#`/`L` and a large precision

Open cpplearner opened this issue 1 year ago • 0 comments

Describe the bug

<format> uses a loop to find the beginning of the exponent part in order to insert trailing zeroes. But when _Specs._Alt || _Specs._Localized is true, the position has already been stored in _Exponent_start. The loop actually moves _Exponent_start away from the correct position, and eventually causes a crash due to out-of-bound access.

https://github.com/microsoft/STL/blob/3eac329d1f614ecf138d96c22a3b02f87076bc4a/stl/inc/format#L3108-L3112

https://github.com/microsoft/STL/blob/3eac329d1f614ecf138d96c22a3b02f87076bc4a/stl/inc/format#L3087-L3089

Command-line test case

D:\test>type test-format-3.cpp
#include <format>
#include <iostream>

int main() {
    std::cout << std::format("{:#.1075e}\n", 1.0);
}

D:\test>cl /std:c++20 /EHs /utf-8 test-format-3.cpp
Microsoft (R) C/C++ Optimizing Compiler Version 19.39.33321 for x64
Copyright (C) Microsoft Corporation.  All rights reserved.

test-format-3.cpp
Microsoft (R) Incremental Linker Version 14.39.33321.0
Copyright (C) Microsoft Corporation.  All rights reserved.

/out:test-format-3.exe
test-format-3.obj

D:\test>test-format-3

D:\test>echo %errorlevel%
-1073741819

Expected behavior

no crash

STL version

https://github.com/microsoft/STL/commit/3eac329d1f614ecf138d96c22a3b02f87076bc4a

Jan 16 '24 05:01 cpplearner

STL STL copied to clipboard

<format>: crash when formatting a floating-point value with `#`/`L` and a large precision

Describe the bug

Command-line test case

Expected behavior

STL version

STL
STL copied to clipboard