| Ticket UUID: | 2557796 | |||
| Title: | TclpAlloc() - no overflow protection | |||
| Type: | Bug | Version: | obsolete: 8.6b1.1 | |
| Submitter: | dgp | Created on: | 2009-02-02 18:31:53 | |
| Subsystem: | 41. Memory Allocation | Assigned To: | dgp | |
| Priority: | 5 Medium | Severity: | ||
| Status: | Closed | Last Modified: | 2009-09-29 11:47:39 | |
| Resolution: | Fixed | Closed By: | dgp | |
| Closed on: | 2009-09-29 04:47:39 | |||
| Description: |
The TclpAlloc() implementation in tclThreadAlloc.c accepts an (unsigned int) argument "reqSize" for the number of bytes the caller needs. If a value greater than (UINT_MAX - sizeof(Block)) is passed in, then the calculation of the total allocation needed including overhead will overflow the unsigned int range, and on systems where the range of size_t is no bigger than the range of unsigned int, the value of "size" will overflow and the comparions to MAXALLOC, etc. may well return bogus results. | |||
| User Comments: |
dgp added on 2009-09-29 11:47:39:
allow_comments - 1 dgp added on 2009-09-29 11:47:35: fixed on all branches dgp added on 2009-02-03 03:18:11: File Added - 311742: 2557796.patch Here's a patch. File Added: 2557796.patch | |||
Attachments:
- 2557796.patch [download] added by dgp on 2009-02-03 03:18:11. [details]