Ticket UUID: | 2845535 | |||
Title: | string overflow panic in [format] | |||
Type: | Bug | Version: | obsolete: 8.6b1.1 | |
Submitter: | mistachkin | Created on: | 2009-08-27 12:38:31 | |
Subsystem: | 10. Objects | Assigned To: | dgp | |
Priority: | 9 Immediate | Severity: | ||
Status: | Closed | Last Modified: | 2009-08-28 02:35:14 | |
Resolution: | Fixed | Closed By: | dgp | |
Closed on: | 2009-08-27 19:35:14 | |||
Description: |
The following command triggers a crash in 8.4, 8.5, and HEAD: format "%.2147483647f" 2 The following command triggers a crash in 8.5 and HEAD (in 8.4 it produces some kind of result): format "%2147483647.f" 2 The following code (near line 2187) in "generic\tclStringObj.c" is a bit problematic due to unchecked usage of sprintf with a fixed size buffer: char spec[2*TCL_INTEGER_SPACE + 9], *p = spec; <snip> if (width) { p += sprintf(p, "%d", width); if (width > length) { length = width; } } if (gotPrecision) { *p++ = '.'; p += sprintf(p, "%d", precision); length += precision; } | |||
User Comments: |
dgp added on 2009-08-28 02:35:14:
allow_comments - 1 dgp added on 2009-08-28 02:35:09: patch committed to fix in 8.5.8+ consider either Works For Me or Wont Fix for 8.4. dgp added on 2009-08-28 02:22:14: patch attached dgp added on 2009-08-28 02:21:58: File Added - 340830: 2845535.patch dgp added on 2009-08-28 01:34:29: The Tcl code is not written with the possibility that sprintf() might raise an error, which according to the linux platform docs is done by returning a negative value. dgp added on 2009-08-27 23:30:50: For the second example, on a system where I avoid a mem alloc panic, I also see a panic, not a crash: % format "%2147483647.f" 2 Tcl_SetObjLength: negative length requested: -1 (integer overflow?) dgp added on 2009-08-27 23:23:04: on the 8.5 and HEAD branches I see a panic, not a crash: % format %.2147483647f 2 Tcl_SetObjLength: negative length requested: -2147483329 (integer overflow?) In 8.4, I see: % format %.2147483647f 2 % dgp added on 2009-08-27 21:05:40: Any relation to 2838354 ? mistachkin added on 2009-08-27 19:58:58: Further analysis reveals that I am tired. The actual line (near 2235) which causes the problem is: Tcl_SetObjLength(segment, sprintf(bytes, spec, d)); |
Attachments:
- 2845535.patch [download] added by dgp on 2009-08-28 02:21:58. [details]