| Ticket UUID: | 2669109 | |||
| Title: | INST_CONCAT1 no overflow protection | |||
| Type: | Bug | Version: | obsolete: 8.6b1.1 | |
| Submitter: | dgp | Created on: | 2009-03-06 18:48:16 | |
| Subsystem: | 47. Bytecode Compiler | Assigned To: | dgp | |
| Priority: | 5 Medium | Severity: | ||
| Status: | Closed | Last Modified: | 2009-03-20 21:36:28 | |
| Resolution: | Fixed | Closed By: | dgp | |
| Closed on: | 2009-03-20 14:36:28 | |||
| Description: |
appends that overflow the max length of a string lead to corrupted nonsense. | |||
| User Comments: |
dgp added on 2009-03-20 21:36:28:
allow_comments - 1 fixed on all branches dgp added on 2009-03-20 20:41:29:
More reliable demo:
proc demo foo "set bar [string repeat {$foo} 255]"
demo [string repeat a 16843010]; concat
dgp added on 2009-03-20 02:58:09: File Added - 318622: 2669109.patch Here's a patch for the HEAD. File Added: 2669109.patch dgp added on 2009-03-20 02:05:01: Was going to turn those into a test, but once the bug is fixed, the proper behavior will be to panic, which isn't test friendly. dgp added on 2009-03-20 01:33:20:
Demo that doesn't need a system capable of
big allocations:
% set foo [string repeat a 16843010]; concat
% set cmd {set bar }
set bar
% append cmd [string repeat {$foo} 255]; concat
% eval $cmd; concat
make: *** [shell] Segmentation fault
dgp added on 2009-03-20 01:28:10:
Demo:
% set foo [string repeat a 8421505]; concat
% set cmd {set bar }
set bar
% append cmd [string repeat {$foo} 255]; concat
% eval $cmd; concat
% string length $bar
-2147483521
ferrieux added on 2009-03-08 04:15:26: It appears there is code duplication between INST_CONCAT1 and Tcl_AppendObjToObj. Is there a good reason ? Refactoring would solve this issue. | |||
Attachments:
- 2669109.patch [download] added by dgp on 2009-03-20 02:58:09. [details]