Ticket UUID: | 714106 | |||
Title: | [string repeat] may crash | |||
Type: | Bug | Version: | obsolete: 8.4.2 | |
Submitter: | nobody | Created on: | 2003-04-02 18:58:39 | |
Subsystem: | 41. Memory Allocation | Assigned To: | hobbs | |
Priority: | 5 Medium | Severity: | ||
Status: | Closed | Last Modified: | 2003-05-11 06:57:39 | |
Resolution: | Fixed | Closed By: | hobbs | |
Closed on: | 2003-05-10 23:57:38 | |||
Description: |
The following code crashes a 32-bit machine (PC): set M [string repeat x 1048576] set G4 [string repeat $M 4096] The culprit is the unchecked length multiplication in line 2110 in "generic/tclCmdMZ.c: length2 = length1 * count; That can overflow. As a result, much less memory gets allocated, than filled after allocation. I suggest to check the multiplication by back-division: if ((length2 / count) != length1) { ...error... } Heiner [email protected] | |||
User Comments: |
hobbs added on 2003-05-11 06:57:39:
File Added - 50083: 714106.strrepeat hobbs added on 2003-05-11 06:57:38: Logged In: YES user_id=72656 Closed with the attached patch. I didn't add a test because it would have different behavior on 64-bit ILP systems. Fixed for 8.4.3 and 8.5. |
Attachments:
- 714106.strrepeat [download] added by hobbs on 2003-05-11 06:57:38. [details]