Buffer overflow with string_view format string that isn't null terminated

[msimonsson]

Hi,

It looks like the format strings are assumed to be null-terminated.
Here is a simple example that will result in a stack-overflow:

const char c[] = {'{', 'y'};
const std::string_view f{c, 2};
const auto s = fmt::format(f, 42);

I found this when fuzzing with libFuzzer.

[vitaut]

Which {fmt} version? I get an exception with the message "argument not found" as expected.

[msimonsson]

Which {fmt} version?

master

You have to compile with sanitizers, I should have mentioned that:
https://clang.llvm.org/docs/AddressSanitizer.html

Here is the code I used to fuzz the library, it will give a heap-buffer-overflow within seconds:

#include "fmt/format.hh"

extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size);
extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
{
    try
    {
        const std::string_view f{reinterpret_cast<const char*>(data), size};  
        fmt::format(f, 42, 328.238123, "abc");
    }
    catch (const fmt::format_error&)
    {
        // Ignore
    }

    return 0;
}

[vitaut]

Fixed in de71db6, thanks for catching this!

[vitaut]

The dereferenced value was never used BTW, but it was still technically a UB I think.