Overview
Artifact ID: | 427efc96b901ce9fc459228737010814a5ffa394 |
---|---|
Ticket: | c2d22775ce4c6b53e57f3450ab935e1f87a64d23
Fix signed integer overflow in Tcl_ListObjReplace |
User & Date: | anonymous 2017-08-02 06:35:08 |
Changes
- assignee changed to: "nobody"
- closer changed to: "nobody"
- cmimetype changed to: "text/plain"
- comment changed to:
Tcl_ListObjReplace contains code: int first; int count .... if (numElems < first+count || first+count < 0) { /* * The 'first+count < 0' condition here guards agains integer * overflow in determining 'first+count'. */ So overflow is expected but it's calculated with signed type which is "undefined behavior" Proposed fix: --- old/generic/tclListObj.c 2015-11-17 17:03:00.000000000 -0800 +++ new/generic/tclListObj.c 2017-08-01 23:22:59.000000000 -0700 @@ -897,13 +897,16 @@ } if (count < 0) { count = 0; - } else if (numElems < first+count || first+count < 0) { - /* - * The 'first+count < 0' condition here guards agains integer - * overflow in determining 'first+count'. - */ + } else { + int firstWithCount = (unsigned) first + count; + if (numElems < firstWithCount || firstWithCount < 0) { + /* + * The 'first+count < 0' condition here guards agains integer + * overflow in determining 'first+count'. + */ - count = numElems - first; + count = numElems - first; + } } isShared = (listRepPtr->refCount > 1);
- foundin changed to: "8.6.4"
- is_private changed to: "0"
- login: "anonymous"
- priority changed to: "5 Medium"
- private_contact changed to: "61ec11df7062b717a200d064063aa94b7b27781c"
- resolution changed to: "None"
- severity changed to: "Minor"
- status changed to: "Open"
- submitter changed to: "anonymous"
- subsystem changed to: "None"
- title changed to: "Fix signed integer overflow in Tcl_ListObjReplace"
- type changed to: "Patch"