Tcl Source Code: View Ticket

Ticket UUID:	05ff16e799ef5d6d15ad1330425f243e5c49d13
Title:	signed integer overflow in ExtendStringRepWithUnicode()
Type:	Patch	Version:	core-8-6-branch
Submitter:	chrstphrchvz	Created on:	2022-04-07 18:58:01
Subsystem:	10. Objects	Assigned To:	jan.nijtmans
Priority:	5 Medium	Severity:	Minor
Status:	Closed	Last Modified:	2022-04-08 09:17:49
Resolution:	Fixed	Closed By:	jan.nijtmans
		Closed on:	2022-04-08 09:17:49
Description:	Example script (assumes your Tcl already has the fix for [0e8fd6c6d5]): set z [string repeat "\u0000" 1073741820] puts stderr [::tcl::unsupported::representation $z] # create string obj with longest possible unicode rep and no string rep set zz [string replace $z 0 1 $z] puts stderr [::tcl::unsupported::representation $zz] # force generating string rep (should abort due to exceeding max size for a Tcl value) set ZZ [string toupper $zz] puts stderr [::tcl::unsupported::representation $ZZ] Output containing UBSan `-fsanitize=signed-integer-overflow` error (which the attached patch prevents): value is a pure string with a refcount of 2, object pointer at 0x604000041490, string representation "..." value is a string with a refcount of 2, object pointer at 0x604000041c10, internal representation 0x316793800:0xbebebebebebebebe, no string representation tcl/generic/tclStringObj.c:3344:7: runtime error: signed integer overflow: 2147483646 + 2 cannot be represented in type 'int' max size for a Tcl value (2147483647 bytes) exceeded (tclsh aborted)
User Comments:	jan.nijtmans added on 2022-04-08 09:17:49: Merged to 8.6 and 8.7 (no problem on 9.0) Thanks!

Attachments:

05ff16e799.diff [download] added by chrstphrchvz on 2022-04-07 19:12:22. [details]