https://gcc.gnu.org/bugzilla/show_bug.cgi?id=92853
--- Comment #3 from Jonathan Wakely <redi at gcc dot gnu.org> --- Author: redi Date: Mon Dec 9 11:16:29 2019 New Revision: 279115 URL: https://gcc.gnu.org/viewcvs?rev=279115&root=gcc&view=rev Log: libstdc++: fix buffer overflow in path::operator+= (PR92853) When concatenating a path ending in a root-directory onto another path, we added an empty filename to the end of the path twice, but only reserved space for one. That meant the second write went past the end of the allocated buffer. PR libstdc++/92853 * src/c++17/fs_path.cc (filesystem::path::operator+=(const path&)): Do not process a trailing directory separator twice. * testsuite/27_io/filesystem/path/concat/92853.cc: New test. * testsuite/27_io/filesystem/path/concat/path.cc: Test more cases. * testsuite/27_io/filesystem/path/concat/strings.cc: Test more cases. Added: branches/gcc-9-branch/libstdc++-v3/testsuite/27_io/filesystem/path/concat/92853.cc - copied, changed from r279103, branches/gcc-9-branch/libstdc++-v3/testsuite/27_io/filesystem/path/concat/path.cc Modified: branches/gcc-9-branch/libstdc++-v3/ChangeLog branches/gcc-9-branch/libstdc++-v3/src/c++17/fs_path.cc branches/gcc-9-branch/libstdc++-v3/testsuite/27_io/filesystem/path/concat/path.cc branches/gcc-9-branch/libstdc++-v3/testsuite/27_io/filesystem/path/concat/strings.cc
