| Ticket UUID: | 714106 | |||
| Title: | [string repeat] may crash | |||
| Type: | Bug | Version: | obsolete: 8.4.2 | |
| Submitter: | nobody | Created on: | 2003-04-02 18:58:39 | |
| Subsystem: | 41. Memory Allocation | Assigned To: | hobbs | |
| Priority: | 5 Medium | Severity: | ||
| Status: | Closed | Last Modified: | 2003-05-11 06:57:39 | |
| Resolution: | Fixed | Closed By: | hobbs | |
| Closed on: | 2003-05-10 23:57:38 | |||
| Description: |
The following code crashes a 32-bit machine (PC):
set M [string repeat x 1048576]
set G4 [string repeat $M 4096]
The culprit is the unchecked length multiplication
in line 2110 in "generic/tclCmdMZ.c:
length2 = length1 * count;
That can overflow. As a result, much less memory
gets allocated, than filled after allocation.
I suggest to check the multiplication by back-division:
if ((length2 / count) != length1) { ...error... }
Heiner [email protected]
| |||
| User Comments: |
hobbs added on 2003-05-11 06:57:39:
File Added - 50083: 714106.strrepeat hobbs added on 2003-05-11 06:57:38: Logged In: YES user_id=72656 Closed with the attached patch. I didn't add a test because it would have different behavior on 64-bit ILP systems. Fixed for 8.4.3 and 8.5. | |||
Attachments:
- 714106.strrepeat [download] added by hobbs on 2003-05-11 06:57:38. [details]