Ticket UUID: | 1036649 | |||
Title: | Buffer overrun in [subst] | |||
Type: | Bug | Version: | obsolete: 8.4.7 | |
Submitter: | dkf | Created on: | 2004-09-28 23:22:08 | |
Subsystem: | 45. Parsing and Eval | Assigned To: | dgp | |
Priority: | 9 Immediate | Severity: | ||
Status: | Closed | Last Modified: | 2004-10-27 05:01:46 | |
Resolution: | Fixed | Closed By: | dgp | |
Closed on: | 2004-10-26 21:58:09 | |||
Description: |
This is not a problem in the HEAD. Repeatedly do this command. The error result is always strange and occasionally it crashes. (Seems random which.) subst {[set x 1;} GDB claims crash happened like this: Program received signal SIGSEGV, Segmentation fault. 0x0807e5ab in Tcl_SubstObj (interp=0x8103390, objPtr=0x810bd10, flags=7) at ../generic/tclCmdMZ.c:2578 2578 switch (*p) { The 'p' pointer seems to have overflowed well past the end of the objPtr->bytes parameter: (gdb) print p $1 = 0x812c000 <Address 0x812c000 out of bounds> (gdb) print objPtr->bytes $2 = 0x8127788 "[set x 1;" Looks like a buffer overrun to me, and [subst] is often exposed to external sources. => CRITICAL BUG | |||
User Comments: |
dgp added on 2004-10-27 04:58:09:
Logged In: YES user_id=80530 corrected HEAD to have same subst-12.3 results as the 8.4 branch. At this point [subst] does not crash and is consistent between 8.4 and 8.5.. Anyone wanted other mods to [subst] should file a separate report. dgp added on 2004-10-27 03:54:48: Logged In: YES user_id=80530 added more tests (subst-12.3,4) to show the effect of syntax errors on side effects. Test subst-12.3 illustrates a change in behavior from 8.4 to 8.5. msofer added on 2004-09-30 17:41:35: Logged In: YES user_id=148712 tests added to HEAD; code review not yet done msofer added on 2004-09-30 02:39:04: Logged In: YES user_id=148712 Fix and tests committed to core-8-4-branch. Still to do: commit the new tests to HEAD, check if HEAD has the flaw too. dkf added on 2004-09-29 19:07:00: Logged In: YES user_id=79902 Fix looks good. Suggested test (you might want to give it a different test number): test subst-12.1 {nasty case} { list [catch {subst "\[subst {};"} msg] $msg } {1 {missing close-bracket}} msofer added on 2004-09-29 17:57:34: File Deleted - 103128: File Added - 103169: 1036649.patch Logged In: YES user_id=148712 updated patch - still missing tests dkf added on 2004-09-29 17:36:13: Logged In: YES user_id=79902 Syntax error is reported wrongly. :^( When I did the following after applying your patch: subst "\[subst {};" I got this error: can't read "f": no such variable msofer added on 2004-09-29 09:14:14: File Added - 103128: 1036649.patch msofer added on 2004-09-29 09:14:13: Logged In: YES user_id=148712 The problem seems to be in Tcl_EvalEx: it fails when it evaluates a nested script of unknown length (numBytes==-1) that is missing the closing ']' AND ends in ';' (a space after that seems not to trigger the buffer overflow). In any case, the attached patch to core-8-4-branch seems to fix it. There might be a more elegant to fix this ... Note that Tcl_EvalEx has been rewritten in HEAD; I did not yet check if the problemmight be there too. |
Attachments:
- 1036649.patch [download] added by msofer on 2004-09-29 17:57:34. [details]