Tcl Source Code: Ticket Change Details

Overview

Artifact ID:	427efc96b901ce9fc459228737010814a5ffa394
Ticket:	c2d22775ce4c6b53e57f3450ab935e1f87a64d23 Fix signed integer overflow in Tcl_ListObjReplace
User & Date:	anonymous 2017-08-02 06:35:08

Changes

assignee changed to: "nobody"
closer changed to: "nobody"
cmimetype changed to: "text/plain"

comment changed to:

Tcl_ListObjReplace contains code:
int first;
int count
....
if (numElems < first+count || first+count < 0) {
/*
* The 'first+count < 0' condition here guards agains integer
* overflow in determining 'first+count'.
*/

So overflow is expected but it's calculated with signed type which is "undefined behavior"

Proposed fix:

--- old/generic/tclListObj.c	2015-11-17 17:03:00.000000000 -0800
+++ new/generic/tclListObj.c	2017-08-01 23:22:59.000000000 -0700
@@ -897,13 +897,16 @@
     }
     if (count < 0) {
 	count = 0;
-    } else if (numElems < first+count || first+count < 0) {
-	/*
-	 * The 'first+count < 0' condition here guards agains integer
-	 * overflow in determining 'first+count'.
-	 */
+    } else {
+	int firstWithCount = (unsigned) first + count;
+	if (numElems < firstWithCount || firstWithCount < 0) {
+	    /*
+	     * The 'first+count < 0' condition here guards agains integer
+	     * overflow in determining 'first+count'.
+	     */
 
-	count = numElems - first;
+	    count = numElems - first;
+	}
     }
 
     isShared = (listRepPtr->refCount > 1);

foundin changed to: "8.6.4"
is_private changed to: "0"
login: "anonymous"
priority changed to: "5 Medium"
private_contact changed to: "61ec11df7062b717a200d064063aa94b7b27781c"
resolution changed to: "None"
severity changed to: "Minor"
status changed to: "Open"
submitter changed to: "anonymous"
subsystem changed to: "None"
title changed to: "Fix signed integer overflow in Tcl_ListObjReplace"
type changed to: "Patch"