https://gcc.gnu.org/bugzilla/show_bug.cgi?id=28277
--- Comment #19 from Jonathan Wakely <redi at gcc dot gnu.org> ---
My patch missed a case for num_put, which I'll fix.
Here's a crash test for codecvt::do_length in codecvt_members.cc:
#include <locale>
int main()
{
using namespace std;
auto& cvt = use_facet<codecvt<wchar_t, char, mbstate_t>>(locale::classic());
mbstate_t st = { };
size_t n = 8 * 1024 * 1024;
char* s = new char[n+1];
std::fill_n(s, n, 'a');
s[n] = '\0';
cvt.length(st, s, s+6, n);
}
The remaining uses in <bits/locale_facets_nonio.tcc> seem to be limited to sane
values.
messages<wchar_t>::do_get also looks vulnerable, but I haven't tested it.
