Description: |
Tcl_ListObjReplace contains code:
int first;
int count
....
if (numElems < first+count || first+count < 0) {
/*
* The 'first+count < 0' condition here guards agains integer
* overflow in determining 'first+count'.
*/
So overflow is expected but it's calculated with signed type which is "undefined behavior"
Proposed fix:
--- old/generic/tclListObj.c 2015-11-17 17:03:00.000000000 -0800
+++ new/generic/tclListObj.c 2017-08-01 23:22:59.000000000 -0700
@@ -897,13 +897,16 @@
}
if (count < 0) {
count = 0;
- } else if (numElems < first+count || first+count < 0) {
- /*
- * The 'first+count < 0' condition here guards agains integer
- * overflow in determining 'first+count'.
- */
+ } else {
+ int firstWithCount = (unsigned) first + count;
+ if (numElems < firstWithCount || firstWithCount < 0) {
+ /*
+ * The 'first+count < 0' condition here guards agains integer
+ * overflow in determining 'first+count'.
+ */
- count = numElems - first;
+ count = numElems - first;
+ }
}
isShared = (listRepPtr->refCount > 1);
|