<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Issue 2499: operator&gt;&gt;(basic_istream&amp;, CharT*) makes it hard to avoid buffer overflows</title>
<meta property="og:title" content="Issue 2499: operator&gt;&gt;(basic_istream&amp;, CharT*) makes it hard to avoid buffer overflows">
<meta property="og:description" content="C++ library issue. Status: Resolved">
<meta property="og:url" content="https://cplusplus.github.io/LWG/issue2499.html">
<meta property="og:type" content="website">
<meta property="og:image" content="http://cplusplus.github.io/LWG/images/cpp_logo.png">
<meta property="og:image:alt" content="C++ logo">
<style>
  p {text-align:justify}
  li {text-align:justify}
  pre code.backtick::before { content: "`" }
  pre code.backtick::after { content: "`" }
  blockquote.note
  {
    background-color:#E0E0E0;
    padding-left: 15px;
    padding-right: 15px;
    padding-top: 1px;
    padding-bottom: 1px;
  }
  ins {background-color:#A0FFA0}
  del {background-color:#FFA0A0}
  table.issues-index { border: 1px solid; border-collapse: collapse; }
  table.issues-index th { text-align: center; padding: 4px; border: 1px solid; }
  table.issues-index td { padding: 4px; border: 1px solid; }
  table.issues-index td:nth-child(1) { text-align: right; }
  table.issues-index td:nth-child(2) { text-align: left; }
  table.issues-index td:nth-child(3) { text-align: left; }
  table.issues-index td:nth-child(4) { text-align: left; }
  table.issues-index td:nth-child(5) { text-align: center; }
  table.issues-index td:nth-child(6) { text-align: center; }
  table.issues-index td:nth-child(7) { text-align: left; }
  table.issues-index td:nth-child(5) span.no-pr { color: red; }
  @media (prefers-color-scheme: dark) {
     html {
        color: #ddd;
        background-color: black;
     }
     ins {
        background-color: #225522
     }
     del {
        background-color: #662222
     }
     a {
        color: #6af
     }
     a:visited {
        color: #6af
     }
     blockquote.note
     {
        background-color: rgba(255, 255, 255, .10)
     }
  }
</style>
</head>
<body>
<hr>
<p><em>This page is a snapshot from the LWG issues list, see the <a href="lwg-active.html">Library Active Issues List</a> for more information and the meaning of <a href="lwg-active.html#Resolved">Resolved</a> status.</em></p>
<h3 id="2499"><a href="lwg-defects.html#2499">2499</a>. <code>operator&gt;&gt;(basic_istream&amp;, CharT*)</code> makes it hard to avoid buffer overflows</h3>
<p><b>Section:</b> 31.7.5.3.3 <a href="https://wg21.link/istream.extractors">[istream.extractors]</a> <b>Status:</b> <a href="lwg-active.html#Resolved">Resolved</a>
 <b>Submitter:</b> Richard Smith <b>Opened:</b> 2015-05-08 <b>Last modified:</b> 2018-11-12</p>
<p><b>Priority: </b>2
</p>
<p><b>View all other</b> <a href="lwg-index.html#istream.extractors">issues</a> in [istream.extractors].</p>
<p><b>View all issues with</b> <a href="lwg-status.html#Resolved">Resolved</a> status.</p>
<p><b>Discussion:</b></p>
<p>
We removed <code>gets()</code> (due to an NB comment and C11 &mdash; bastion of backwards compatibility &mdash; doing the same). 
Should we remove this too?
<p/>
Unlike <code>gets()</code>, there are legitimate uses:
</p>
<blockquote>
<pre>
char buffer[32];
char text[32] = // ...
ostream_for_buffer(text) &gt;&gt; buffer; // ok, can't overrun buffer
</pre>
</blockquote>
<p>
&hellip; but the risk from constructs like "<code>std::cin &gt;&gt; buffer</code>" seems to outweigh the benefit.
<p/>
The issue had been discussed on the library reflector starting around 
<a href="http://listarchives.isocpp.org/cgi-bin/wg21/message?wg=lib&amp;msg=35541">c++std-lib-35541</a>.
</p>

<p><i>[2015-06, Telecon]</i></p>

<p>VV: Request a paper to deprecate / remove anything<br/></p>

<p><i>[2015-10, Kona Saturday afternoon]</i></p>

<p>STL: This overload is evil and should probably die. </p>
<p>VV: I agree with that, even though I don't care.</p>
<p>STL: Say that we either remove it outright following the gets() rationale, or at least deprecate it.</p>
<p>Move to Open; needs a paper.</p>

<p><i>[2016-08, Chicago: Zhihao Yuan comments and provides wording]</i></p>

<p>
Rationale:
</p>
<ol>
<li><p>I would like to keep some reasonable code working;</p></li>
<li><p>Reasonable code includes two cases:</p>
<ol style="list-style-type:lower-alpha">
<li><p><code>width() &gt; 0</code>, any pointer argument</p></li>
<li><p><code>width() &gt;= 0</code>, array argument</p></li>
</ol>
</li>
<li><p>For a), banning bad code will become a silent behavior change at runtime; 
for b), it breaks at compile time.</p></li>
</ol>
<p>
I propose to replace these signatures with references to arrays.
An implementation may want to ship the old instantiatations in the
binary without exposing the old signatures.
</p>

<p><i>[2016-08, Chicago]</i></p>

<p>Tues PM: General agreement on deprecating the unsafe call, but no consensus for the P/R.</p>
<p>General feeling that implementation experience would be useful.</p>

<p><i>[2018-08-23 Batavia Issues processing]</i></p>

<p>Will be resolved by the adoption of <a href="https://wg21.link/P0487">P0487</a>.</p>

<p><i>[2018-11-11 Resolved by <a href="https://wg21.link/P0487R1">P0487R1</a>, adopted in San Diego.]</i></p>



<p id="res-2499"><b>Proposed resolution:</b></p>
<p>
This wording is relative to N4606.
</p>
<ol>
<li><p>Modify 31.7.5.3.3 <a href="https://wg21.link/istream.extractors">[istream.extractors]</a> as indicated:</p>

<blockquote>
<pre>
template&lt;class charT, class traits<ins>, size_t N</ins>&gt;
  basic_istream&lt;charT, traits&gt;&amp; operator&gt;&gt;(basic_istream&lt;charT, traits&gt;&amp; in,
                                           <del>charT* s</del><ins>charT (&amp;s)[N]</ins>);
template&lt;class traits<ins>, size_t N</ins>&gt;
  basic_istream&lt;char, traits&gt;&amp; operator&gt;&gt;(basic_istream&lt;char, traits&gt;&amp; in,
                                          <del>unsigned char* s</del><ins>unsigned char (&amp;s)[N]</ins>);
template&lt;class traits<ins>, size_t N</ins>&gt;
  basic_istream&lt;char, traits&gt;&amp; operator&gt;&gt;(basic_istream&lt;char, traits&gt;&amp; in,
                                          <del>signed char* s</del><ins>signed char (&amp;s)[N]</ins>);
</pre>
<blockquote>
<p>
-7- <i>Effects:</i> Behaves like a formatted input member (as described in 31.7.5.3.1 <a href="https://wg21.link/istream.formatted.reqmts">[istream.formatted.reqmts]</a>) 
of <code>in</code>. After a <code>sentry</code> object is constructed, <code>operator&gt;&gt;</code> extracts characters and 
stores them into <del>successive locations of an array whose first element is designated by</del> <code>s</code>. If <code>width()</code> 
is greater than zero, <code>n</code> is <code><del>width()</del><ins>min(size_t(width()), N)</ins></code>. Otherwise 
<code>n</code> is <del>the number of elements of the largest 
array of <code>char_type</code> that can store a terminating <code>charT()</code></del><ins><code>N</code></ins>. <code>n</code> is the 
maximum number of characters stored.
</p>
</blockquote>
</blockquote>
</li>
</ol>





</body>
</html>
