Tcl Source Code

Check-in [16846911c7]
Login
Bounty program for improvements to Tcl and certain Tcl packages.
Tcl 2019 Conference, Houston/TX, US, Nov 4-8
Send your abstracts to tclconference@googlegroups.com
or submit via the online form by Sep 9.

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:closes [d051b77fc18d7340]: fixed segfault by integer overflow (if width by format like "%4000000000g" overflows to negative values by scan of length)
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | core-8-5-branch
Files: files | file ages | folders
SHA3-256:16846911c798f32dbc0b93fb326bc4e2baa64e9e8133e0b82d35195d8072913f
User & Date: sebres 2018-07-26 15:57:38
References
2018-07-26
16:01 Closed ticket [d051b77fc1]: segmentation fault in tclStringObj.c, line 2405 plus 6 other changes artifact: 760654989f user: sebres
Context
2018-07-26
16:46
test cases added to cover width overflow by format (should cause limit exceeded) check-in: 3b55e9c1e1 user: sebres tags: core-8-5-branch
15:57
closes [d051b77fc18d7340]: fixed segfault by integer overflow (if width by format like "%4000000000g... check-in: 16846911c7 user: sebres tags: core-8-5-branch
2018-07-12
14:17
win: closes [3f7af0e21e13f1f5] - avoid "permissions denied" by `file delete`, if file stat (TclpObjS... check-in: 4af9ff473e user: sebres tags: core-8-5-branch
Changes
Hide Diffs Unified Diffs Ignore Whitespace Patch

Changes to generic/tclStringObj.c.

1934
1935
1936
1937
1938
1939
1940




1941
1942
1943
1944
1945
1946
1947
	/*
	 * Step 3. Minimum field width.
	 */

	width = 0;
	if (isdigit(UCHAR(ch))) {
	    width = strtoul(format, &end, 10);




	    format = end;
	    step = Tcl_UtfToUniChar(format, &ch);
	} else if (ch == '*') {
	    if (objIndex >= objc - 1) {
		msg = badIndex[gotXpg];
		goto errorMsg;
	    }







>
>
>
>







1934
1935
1936
1937
1938
1939
1940
1941
1942
1943
1944
1945
1946
1947
1948
1949
1950
1951
	/*
	 * Step 3. Minimum field width.
	 */

	width = 0;
	if (isdigit(UCHAR(ch))) {
	    width = strtoul(format, &end, 10);
	    if (width < 0) {
		msg = overflow;
		goto errorMsg;
	    }
	    format = end;
	    step = Tcl_UtfToUniChar(format, &ch);
	} else if (ch == '*') {
	    if (objIndex >= objc - 1) {
		msg = badIndex[gotXpg];
		goto errorMsg;
	    }