| Ticket UUID: | 2971669 | |||
| Title: | int overflow in Tcl_ListObjReplace | |||
| Type: | Bug | Version: | obsolete: 8.6b1.1 | |
| Submitter: | dgp | Created on: | 2010-03-17 00:47:33 | |
| Subsystem: | 14. List Object | Assigned To: | dgp | |
| Priority: | 5 Medium | Severity: | ||
| Status: | Closed | Last Modified: | 2010-03-19 03:39:04 | |
| Resolution: | Fixed | Closed By: | dgp | |
| Closed on: | 2010-03-18 20:39:04 | |||
| Description: |
tclListObj.c, line 835:
} else if (numElems < first+count) {
what if "first+count" overflows the int range?
| |||
| User Comments: |
dgp added on 2010-03-19 03:39:04:
allow_comments - 1 and backported for 8.5.9. dgp added on 2010-03-19 03:35:08: reviewed and committed to HEAD. ferrieux added on 2010-03-18 03:55:36: A few lines after the fix there's numRequired = numElems - count + objc; which can overflow again; not sure we don't end up with a negative third argument to memmove a few lines down from there. </paranoid> kennykb added on 2010-03-18 01:23:22: Patch attached for the submitter's review. kennykb added on 2010-03-18 01:23:00: File Added - 367146: 2971669.patch | |||
Attachments:
- 2971669.patch [download] added by kennykb on 2010-03-18 01:23:00. [details]