Tcl Source Code

The following command triggers a crash in 8.4, 8.5, and HEAD:

format "%.2147483647f" 2

The following command triggers a crash in 8.5 and HEAD (in 8.4 it produces some kind of result):

format "%2147483647.f" 2

The following code (near line 2187) in "generic\tclStringObj.c" is a bit problematic due to unchecked usage of sprintf with a fixed size buffer:

    char spec[2*TCL_INTEGER_SPACE + 9], *p = spec;
    <snip>
    if (width) {
p += sprintf(p, "%d", width);
if (width > length) {
    length = width;
} 
    }
    if (gotPrecision) {
*p++ = '.';
p += sprintf(p, "%d", precision);
length += precision;
    }

allow_comments - 1

patch committed to fix in 8.5.8+

consider either Works For Me or Wont Fix for 8.4.

patch attached

File Added - 340830: 2845535.patch

The Tcl code is not written with the possibility
that sprintf() might raise an error, which according
to the linux platform docs is done by returning
a negative value.

For the second example, on a system
where I avoid a mem alloc panic, I also
see a panic, not a crash:

% format "%2147483647.f" 2
Tcl_SetObjLength: negative length requested: -1 (integer overflow?)

on the 8.5 and HEAD branches I see a 
panic, not a crash:

% format %.2147483647f 2
Tcl_SetObjLength: negative length requested: -2147483329 (integer overflow?)

In 8.4, I see:

% format %.2147483647f 2
%

Any relation to 2838354 ?

Further analysis reveals that I am tired.  The actual line (near 2235) which causes the problem is:

Tcl_SetObjLength(segment, sprintf(bytes, spec, d));