Ticket UUID: | 7f8a3d981843fe53d6a6a6bd659f3a3440bd15e3 | |||
Title: | signed integer overflow in tclExecute.c | |||
Type: | Patch | Version: | core-8-6-branch | |
Submitter: | chrstphrchvz | Created on: | 2022-02-15 22:46:40 | |
Subsystem: | 48. Number Handling | Assigned To: | jan.nijtmans | |
Priority: | 5 Medium | Severity: | Minor | |
Status: | Closed | Last Modified: | 2022-02-16 16:22:06 | |
Resolution: | Fixed | Closed By: | jan.nijtmans | |
Closed on: | 2022-02-16 16:22:06 | |||
Description: |
tclExecute.c tries to check for signed integer overflow after the fact using the Overflowing() macro, but does not avoid undefined behavior from occuring in the expressions which overflow; casting operands to unsigned types avoids this (see attached patch). Below are example triggers for every instance I found and corresponding UBSan (-fsanitize=signed-integer-overflow) errors. For 32-bit long and 64-bit long long: % set a 0x7fffffff; incr a 1 tcl/generic/tclExecute.c:1901:7: runtime error: signed integer overflow: 2147483647 + 1 cannot be represented in type 'long int' 2147483648 % proc e3932 {} {global x; set x 0x7fffffff; incr x 1} % e3932 tcl/generic/tclExecute.c:3932:12: runtime error: signed integer overflow: 2147483647 + 1 cannot be represented in type 'long int' % proc e3980_1952 {} {global x; set x 0x7fffffffffffffff; incr x 1} % e3980_1952 tcl/generic/tclExecute.c:3980:11: runtime error: signed integer overflow: 9223372036854775807 + 1 cannot be represented in type 'long long int' tcl/generic/tclExecute.c:1952:6: runtime error: signed integer overflow: 9223372036854775807 + 1 cannot be represented in type 'long long int' For 64-bit long: % proc e6509 {} {return [expr {0x7fffffffffffffff+1}]} % e6509 tcl/generic/tclExecute.c:6509:16: runtime error: signed integer overflow: 9223372036854775807 + 1 cannot be represented in type 'long' tcl/generic/tclExecute.c:9149:16: runtime error: signed integer overflow: 9223372036854775807 + 1 cannot be represented in type 'long' 9223372036854775808 % proc e6524 {} {return [expr {-0x7fffffffffffffff-2}]} % e6524 tcl/generic/tclExecute.c:6524:16: runtime error: signed integer overflow: -9223372036854775807 - 2 cannot be represented in type 'long' tcl/generic/tclExecute.c:9165:16: runtime error: signed integer overflow: -9223372036854775807 - 2 cannot be represented in type 'long' -9223372036854775809 (There is more signed integer overflow in tclExecute.c which I have yet to report/suggest fixes for.) | |||
User Comments: |
jan.nijtmans added on 2022-02-16 16:22:06:
Fixed [8524520e5b055b74|here] Thanks for the report! |
Attachments:
- tclExecute-sif.diff [download] added by chrstphrchvz on 2022-02-15 22:47:29. [details]