| Ticket UUID: | 1599352cca83527b22000b9e6a336fa84344bf61 | |||
| Title: | Tcl_Merge(): out-of-bounds write, more signed integer overflow | |||
| Type: | Patch | Version: | core-8-6-branch | |
| Submitter: | chrstphrchvz | Created on: | 2022-10-02 14:04:32 | |
| Subsystem: | 14. List Object | Assigned To: | jan.nijtmans | |
| Priority: | 5 Medium | Severity: | Minor | |
| Status: | Closed | Last Modified: | 2022-10-07 11:20:03 | |
| Resolution: | Fixed | Closed By: | jan.nijtmans | |
| Closed on: | 2022-10-07 11:20:03 | |||
| Description: |
Although it only makes sense to provide nonnegative argc to Tcl_Merge(), the function is a public API currently making no effort to guard against negative argc.
At a minimum, I would suggest changing the behavior of the function slightly so that it always panics to prevent the out-of-bounds write; panicking is already possible in that case during the ckalloc(INT_MIN) call. Maybe a more helpful panic message can be used. See attached patch for a possible solution. | |||
| User Comments: |
jan.nijtmans added on 2022-10-07 11:20:03:
Should be better now: [63b0443866958521] chrstphrchvz added on 2022-10-06 20:17:44: I meant argc == INT_MIN in the previous comment. chrstphrchvz added on 2022-10-06 20:06:36: [0e2b23ff845b] does fix quite a few issues, including some I had suspected or had not yet reported. However there is still the issue of argc == INT_MAX leading to an out-of-bounds write. Is this won't-fix for Tcl < 9.0? jan.nijtmans added on 2022-10-06 10:23:08: Should be fixed [0e2b23ff845b1e1b|here] | |||
Attachments:
- 1599352cca83.diff [download] added by chrstphrchvz on 2022-10-02 14:06:20. [details]