Ticket UUID: | 1115904 | |||
Title: | Tcl_EvalEx can evade recursion limit | |||
Type: | Bug | Version: | obsolete: 8.5a3 | |
Submitter: | dgp | Created on: | 2005-02-04 02:23:59 | |
Subsystem: | 45. Parsing and Eval | Assigned To: | dgp | |
Priority: | 5 Medium | Severity: | ||
Status: | Closed | Last Modified: | 2005-03-18 23:34:47 | |
Resolution: | Fixed | Closed By: | dgp | |
Closed on: | 2005-03-18 16:34:46 | |||
Description: |
Call Tcl_EvalEx() on a command with significant nesting of substitution... Tcl_Eval(interp, "foo [foo [foo [...]]]"); Tcl_EvalEx will call TclSubstTokens to do the command substitution for the argument. Which will turn around and recursively call Tcl_EvalEx to evaluate the command, etc. ...All without incrementing iPtr->numLevels... This means an arbitrary deep number of recursive calls to Tcl_EvalEx can happen without detection, evading the limitations meant to be imposed by [interp recursionlimit]. Eventually this can lead to stack overflow problems. | |||
User Comments: |
dgp added on 2005-03-18 23:34:47:
File Added - 126252: 1115904-84.patch dgp added on 2005-03-18 23:34:46: Logged In: YES user_id=80530 here's the corresponding patch for 8.4. Note that more patching is required because in Tcl 8.4, script evaluation substitution and [subst] substitution haven't been unified as they have in Tcl 8.5. Committing for 8.4.10 dgp added on 2005-03-18 22:51:49: Logged In: YES user_id=80530 fixed in HEAD (8.5a3) msofer added on 2005-03-18 22:29:38: Logged In: YES user_id=148712 Nice patch - commit please dgp added on 2005-02-04 23:56:43: File Deleted - 118493: dgp added on 2005-02-04 23:56:42: File Added - 118584: 1115904.patch dgp added on 2005-02-04 23:56:41: Logged In: YES user_id=80530 Here's a better patch with tests. Please review and apply if acceptable. dgp added on 2005-02-04 22:01:04: Logged In: YES user_id=80530 appears that this issue dates all the way back to the arrival of Tcl_EvalEx around Tcl 8.1. dgp added on 2005-02-04 21:47:33: Logged In: YES user_id=80530 that patch doesn't fix the issue after all. There's no call to TclInterpReady() in that code path either, so no chance to detect the recursion limit. Thoughts? dgp added on 2005-02-04 09:39:59: File Added - 118493: 1115904.patch Logged In: YES user_id=80530 Attached patch corrects the bug, but also changes $::errorInfo in some situations, causing test basic-46.4 to fail. Comment? |