Tcl Source Code

View Ticket
Login
Core Home Timeline Branches Tags Tickets Download Wiki
Attach Edit New Ticket Plaintext
Ticket UUID: c2d22775ce4c6b53e57f3450ab935e1f87a64d23
Title: Fix signed integer overflow in Tcl_ListObjReplace
Type: Patch Version: 8.6.4
Submitter: anonymous Created on: 2017-08-02 06:35:08
Subsystem: None Assigned To: nobody
Priority: 5 Medium Severity: Minor
Status: Closed Last Modified: 2017-08-02 19:28:10
Resolution: Duplicate Closed By: dgp
    Closed on: 2017-08-02 19:28:10
Description: 
Tcl_ListObjReplace contains code:
int first;
int count
....
if (numElems < first+count || first+count < 0) {
/*
* The 'first+count < 0' condition here guards agains integer
* overflow in determining 'first+count'.
*/

So overflow is expected but it's calculated with signed type which is "undefined behavior"

Proposed fix:

--- old/generic/tclListObj.c	2015-11-17 17:03:00.000000000 -0800
+++ new/generic/tclListObj.c	2017-08-01 23:22:59.000000000 -0700
@@ -897,13 +897,16 @@
     }
     if (count < 0) {
 	count = 0;
-    } else if (numElems < first+count || first+count < 0) {
-	/*
-	 * The 'first+count < 0' condition here guards agains integer
-	 * overflow in determining 'first+count'.
-	 */
+    } else {
+	int firstWithCount = (unsigned) first + count;
+	if (numElems < firstWithCount || firstWithCount < 0) {
+	    /*
+	     * The 'first+count < 0' condition here guards agains integer
+	     * overflow in determining 'first+count'.
+	     */
 
-	count = numElems - first;
+	    count = numElems - first;
+	}
     }
 
     isShared = (listRepPtr->refCount > 1);
User Comments: dgp added on 2017-08-02 19:28:10: 
Already fixed for 8.6.7+

https://core.tcl.tk/tcl/info/b2a4266498c8dfd7
This page was generated in about 0.009s by Fossil 2.24 [11ffd84a9a] 2024-03-20 19:06:17