Tcl Source Code

View Ticket
Login
Core Home Timeline Branches Tags Tickets Download Wiki
Attach Edit New Ticket Plaintext
Ticket UUID: 7f8a3d981843fe53d6a6a6bd659f3a3440bd15e3
Title: signed integer overflow in tclExecute.c
Type: Patch Version: core-8-6-branch
Submitter: chrstphrchvz Created on: 2022-02-15 22:46:40
Subsystem: 48. Number Handling Assigned To: jan.nijtmans
Priority: 5 Medium Severity: Minor
Status: Closed Last Modified: 2022-02-16 16:22:06
Resolution: Fixed Closed By: jan.nijtmans
    Closed on: 2022-02-16 16:22:06
Description:

tclExecute.c tries to check for signed integer overflow after the fact using the Overflowing() macro, but does not avoid undefined behavior from occuring in the expressions which overflow; casting operands to unsigned types avoids this (see attached patch).

Below are example triggers for every instance I found and corresponding UBSan (-fsanitize=signed-integer-overflow) errors.

For 32-bit long and 64-bit long long: 

% set a 0x7fffffff; incr a 1
tcl/generic/tclExecute.c:1901:7: runtime error: signed integer overflow: 2147483647 + 1 cannot be represented in type 'long int'
2147483648
% proc e3932 {} {global x; set x 0x7fffffff; incr x 1}
% e3932
tcl/generic/tclExecute.c:3932:12: runtime error: signed integer overflow: 2147483647 + 1 cannot be represented in type 'long int'
% proc e3980_1952 {} {global x; set x 0x7fffffffffffffff; incr x 1}
% e3980_1952
tcl/generic/tclExecute.c:3980:11: runtime error: signed integer overflow: 9223372036854775807 + 1 cannot be represented in type 'long long int'
tcl/generic/tclExecute.c:1952:6: runtime error: signed integer overflow: 9223372036854775807 + 1 cannot be represented in type 'long long int'

For 64-bit long: 

% proc e6509 {} {return [expr {0x7fffffffffffffff+1}]}
% e6509
tcl/generic/tclExecute.c:6509:16: runtime error: signed integer overflow: 9223372036854775807 + 1 cannot be represented in type 'long'
tcl/generic/tclExecute.c:9149:16: runtime error: signed integer overflow: 9223372036854775807 + 1 cannot be represented in type 'long'
9223372036854775808
% proc e6524 {} {return [expr {-0x7fffffffffffffff-2}]}
% e6524
tcl/generic/tclExecute.c:6524:16: runtime error: signed integer overflow: -9223372036854775807 - 2 cannot be represented in type 'long'
tcl/generic/tclExecute.c:9165:16: runtime error: signed integer overflow: -9223372036854775807 - 2 cannot be represented in type 'long'
-9223372036854775809

(There is more signed integer overflow in tclExecute.c which I have yet to report/suggest fixes for.)

User Comments: jan.nijtmans added on 2022-02-16 16:22:06:

Fixed [8524520e5b055b74|here]

Thanks for the report!

Attachments:

This page was generated in about 0.009s by Fossil 2.25 [2ba99c273b] 2024-05-21 11:18:46