Out-of-bounds access in TFormula constructor

[lmoureaux]

Check duplicate issues.

• Checked for duplicates

Description

Doing TFormula("f", "[") triggers out-of-bounds TString reads.

Reproducer

TFormula f("f", "[");

Output in the interpreter:

root [0] TFormula f("f", "[")
Error in <TString::AssertElement>: out of bounds: i = 2, Length = 1
Error in <TString::AssertElement>: out of bounds: i = 3, Length = 1
Error in <TString::AssertElement>: out of bounds: i = 4, Length = 1
Error in <TString::AssertElement>: out of bounds: i = 5, Length = 1
Error in <TString::AssertElement>: out of bounds: i = 6, Length = 1
Error in <TString::AssertElement>: out of bounds: i = 7, Length = 1
Error in <TString::AssertElement>: out of bounds: i = 8, Length = 1

In compiled code this can trigger a SEGV instead.

The correct behaviour is to safely create a TFormula for which IsValid() returns false.

ROOT version

   ------------------------------------------------------------------
  | Welcome to ROOT 6.32.02                        https://root.cern |
  | (c) 1995-2024, The ROOT Team; conception: R. Brun, F. Rademakers |
  | Built for linuxx8664gcc on Sep 18 2024, 20:27:53                 |
  | From heads/master@tags/v6-32-02                                  |
  | With                                                             |
  | Try '.help'/'.?', '.demo', '.license', '.credits', '.quit'/'.q'  |
   ------------------------------------------------------------------

Installation method

conda

Operating system

Linux (Ubuntu 24.04)

Additional context

Also on macOS with a more recent ROOT, see https://gitlab.cern.ch/Proto/Darwin/-/merge_requests/146#note_10873492