| Ticket UUID: | 112e7aa36dbfc3e12be9b32968593729ca6f6264 | |||
| Title: | signed integer overflow in Tcl_SetObjLength(), Tcl_AttemptSetObjLength() | |||
| Type: | Patch | Version: | core-8-6-branch | |
| Submitter: | chrstphrchvz | Created on: | 2022-03-05 22:48:06 | |
| Subsystem: | 10. Objects | Assigned To: | jan.nijtmans | |
| Priority: | 5 Medium | Severity: | Minor | |
| Status: | Closed | Last Modified: | 2022-03-06 16:00:59 | |
| Resolution: | Fixed | Closed By: | jan.nijtmans | |
| Closed on: | 2022-03-06 16:00:59 | |||
| Description: |
Calling Tcl_SetObjLength(…, INT_MAX) or Tcl_AttemptSetObjLength(…, INT_MAX) leads to signed integer overflow. The attached patch avoids this. Example UBSan error:
tcl/generic/tclStringObj.c:961:27: runtime error: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int'
Example test case to add to stringObj.test (likely not desirable for Tcl to adopt—will panic on systems with insufficient memory):
test stringObj-4.99 {Tcl_SetObjLength procedure, string lengthened to INT_MAX} testobj {
testobj freeallvars
teststringobj set 1 abcdef
teststringobj setlength 1 [expr 2**31-1]
list [teststringobj length 1]
} [list [expr 2**31-1]]
| |||
| User Comments: |
jan.nijtmans added on 2022-03-06 16:00:59:
Fixed [2699f682ae|here] Thanks for the report and the patch! | |||
Attachments:
- 112e7aa36d.diff [download] added by chrstphrchvz on 2022-03-05 22:48:47. [details]