Ticket UUID: | 2669109 | |||
Title: | INST_CONCAT1 no overflow protection | |||
Type: | Bug | Version: | obsolete: 8.6b1.1 | |
Submitter: | dgp | Created on: | 2009-03-06 18:48:16 | |
Subsystem: | 47. Bytecode Compiler | Assigned To: | dgp | |
Priority: | 5 Medium | Severity: | ||
Status: | Closed | Last Modified: | 2009-03-20 21:36:28 | |
Resolution: | Fixed | Closed By: | dgp | |
Closed on: | 2009-03-20 14:36:28 | |||
Description: |
appends that overflow the max length of a string lead to corrupted nonsense. | |||
User Comments: |
dgp added on 2009-03-20 21:36:28:
allow_comments - 1 fixed on all branches dgp added on 2009-03-20 20:41:29: More reliable demo: proc demo foo "set bar [string repeat {$foo} 255]" demo [string repeat a 16843010]; concat dgp added on 2009-03-20 02:58:09: File Added - 318622: 2669109.patch Here's a patch for the HEAD. File Added: 2669109.patch dgp added on 2009-03-20 02:05:01: Was going to turn those into a test, but once the bug is fixed, the proper behavior will be to panic, which isn't test friendly. dgp added on 2009-03-20 01:33:20: Demo that doesn't need a system capable of big allocations: % set foo [string repeat a 16843010]; concat % set cmd {set bar } set bar % append cmd [string repeat {$foo} 255]; concat % eval $cmd; concat make: *** [shell] Segmentation fault dgp added on 2009-03-20 01:28:10: Demo: % set foo [string repeat a 8421505]; concat % set cmd {set bar } set bar % append cmd [string repeat {$foo} 255]; concat % eval $cmd; concat % string length $bar -2147483521 ferrieux added on 2009-03-08 04:15:26: It appears there is code duplication between INST_CONCAT1 and Tcl_AppendObjToObj. Is there a good reason ? Refactoring would solve this issue. |
Attachments:
- 2669109.patch [download] added by dgp on 2009-03-20 02:58:09. [details]