Ticket UUID: | 112e7aa36dbfc3e12be9b32968593729ca6f6264 | |||
Title: | signed integer overflow in Tcl_SetObjLength(), Tcl_AttemptSetObjLength() | |||
Type: | Patch | Version: | core-8-6-branch | |
Submitter: | chrstphrchvz | Created on: | 2022-03-05 22:48:06 | |
Subsystem: | 10. Objects | Assigned To: | jan.nijtmans | |
Priority: | 5 Medium | Severity: | Minor | |
Status: | Closed | Last Modified: | 2022-03-06 16:00:59 | |
Resolution: | Fixed | Closed By: | jan.nijtmans | |
Closed on: | 2022-03-06 16:00:59 | |||
Description: |
Calling Tcl_SetObjLength(…, INT_MAX) or Tcl_AttemptSetObjLength(…, INT_MAX) leads to signed integer overflow. The attached patch avoids this. Example UBSan error:
tcl/generic/tclStringObj.c:961:27: runtime error: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int'
Example test case to add to stringObj.test (likely not desirable for Tcl to adopt—will panic on systems with insufficient memory): test stringObj-4.99 {Tcl_SetObjLength procedure, string lengthened to INT_MAX} testobj { testobj freeallvars teststringobj set 1 abcdef teststringobj setlength 1 [expr 2**31-1] list [teststringobj length 1] } [list [expr 2**31-1]] | |||
User Comments: |
jan.nijtmans added on 2022-03-06 16:00:59:
Fixed [2699f682ae|here] Thanks for the report and the patch! |
Attachments:
- 112e7aa36d.diff [download] added by chrstphrchvz on 2022-03-05 22:48:47. [details]