Tcl Source Code

[root@<removed> fuzz]# cat libtcl85.py
#
# Libtcl 8.5 createfilehandler() crash poc
#
# Level was here
#
import _tkinter
def errback(*args, **kw):
        raise ValueError('error')

_tkinter.createfilehandler(674664117164,59.58,errback)
[root@eagle876 fuzz]# gdb --args python libtcl85.py
GNU gdb (GDB) Red Hat Enterprise Linux (7.2-60.el6_4.1)
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/bin/python...(no debugging symbols found)...done.
Missing separate debuginfos, use: debuginfo-install python-2.6.6-37.el6_4.i686 python-2.6.6-37.el6_4.x86_64
(gdb) r
Starting program: /usr/bin/python libtcl85.py
[Thread debugging using libthread_db enabled]
libtcl85.py:8: DeprecationWarning: integer argument expected, got float
  _tkinter.createfilehandler(674664117164,59.58,errback)

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff05879cd in Tcl_CreateFileHandler () from /usr/lib64/libtcl8.5.so
(gdb) q


The second parameter typically contains an int, when provided a float a crash occurs in libtcl8.5.so.

Trying to force a float (double?) into a int will never be a good thing (especially if it is ending up changing the width of the argument on the stack!). That API function is specifically documented as taking an integer second argument; the bug must be in the code that glues Python to Tcl (which should reject or cast a float second argument; I don't care which).

We don't maintain the tkinter package. Not our bug.