Fix [b5ac3e3786] - Tcl_GetUniChar oob read

author: apnadkarni <apnmbx-wits@yahoo.com> 2023-09-05 05:48:57 (GMT)
committer: apnadkarni <apnmbx-wits@yahoo.com> 2023-09-05 05:48:57 (GMT)
commit: 22f59c102a2c3880b0e8aa0b3cae623411e84b2f (patch)
tree: 35411e4a59dd4e1245b92c6413f5ae03acdd6399
parent: 38d04b648dd088e9c28b707603b82dcac81411e5 (diff)
download: tcl-22f59c102a2c3880b0e8aa0b3cae623411e84b2f.zip
tcl-22f59c102a2c3880b0e8aa0b3cae623411e84b2f.tar.gz
tcl-22f59c102a2c3880b0e8aa0b3cae623411e84b2f.tar.bz2
1 files changed, 7 insertions, 0 deletions
diff --git a/generic/tclStringObj.c b/generic/tclStringObj.c
index b1046b1..975b991 100644
--- a/generic/tclStringObj.c
+++ b/generic/tclStringObj.c
@@ -575,6 +575,9 @@ Tcl_GetUniChar(
 	if (stringPtr->numChars == -1) {
 	    TclNumUtfChars(stringPtr->numChars, objPtr->bytes, objPtr->length);
 	}
+        if (index >= stringPtr->numChars) {
+            return 0xFFFD;
+        }
 	if (stringPtr->numChars == objPtr->length) {
 	    return (unsigned char) objPtr->bytes[index];
 	}
@@ -631,7 +634,11 @@ TclGetUCS4(
 	if (stringPtr->numChars == -1) {
 	    TclNumUtfChars(stringPtr->numChars, objPtr->bytes, objPtr->length);
 	}
+        if (index >= stringPtr->numChars) {
+            return -1;
+        }
 	if (stringPtr->numChars == objPtr->length) {
+            /* Pure ascii, can directly index bytes */
 	    return (unsigned char) objPtr->bytes[index];
 	}
 	FillUnicodeRep(objPtr);
author	apnadkarni <apnmbx-wits@yahoo.com>	2023-09-05 05:48:57 (GMT)
committer	apnadkarni <apnmbx-wits@yahoo.com>	2023-09-05 05:48:57 (GMT)
commit	22f59c102a2c3880b0e8aa0b3cae623411e84b2f (patch)
tree	35411e4a59dd4e1245b92c6413f5ae03acdd6399
parent	38d04b648dd088e9c28b707603b82dcac81411e5 (diff)
download	tcl-22f59c102a2c3880b0e8aa0b3cae623411e84b2f.zip tcl-22f59c102a2c3880b0e8aa0b3cae623411e84b2f.tar.gz tcl-22f59c102a2c3880b0e8aa0b3cae623411e84b2f.tar.bz2