diff options
| author | dgp <dgp@users.sourceforge.net> | 2011-07-13 17:53:58 (GMT) |
|---|---|---|
| committer | dgp <dgp@users.sourceforge.net> | 2011-07-13 17:53:58 (GMT) |
| commit | 965e4bbab2201076c8c2bc6ae5baca705ab889b0 (patch) | |
| tree | f1620db0ed8edabd97357b78ee3e6acb96377b72 | |
| parent | 15d2827a35e23f3221491e1cfc89efa5545e9e9f (diff) | |
| download | tcl-965e4bbab2201076c8c2bc6ae5baca705ab889b0.zip tcl-965e4bbab2201076c8c2bc6ae5baca705ab889b0.tar.gz tcl-965e4bbab2201076c8c2bc6ae5baca705ab889b0.tar.bz2 | |
3366265 Buffer allocated one byte too small caused overrun.
| -rw-r--r-- | ChangeLog | 7 | ||||
| -rw-r--r-- | generic/tclProc.c | 2 | ||||
| -rw-r--r-- | tests/indexObj.test | 5 | ||||
| -rw-r--r-- | tests/proc.test | 5 |
4 files changed, 18 insertions, 1 deletions
@@ -1,3 +1,10 @@ +2011-07-13 Don Porter <dgp@users.sourceforge.net> + + * generic/tclProc.c: [Bug 3366265] Buffer for storing the command + * tests/indexObj.test: name formatted as a list element is allocated + * tests/proc.test: one byte too small, causing buffer overflow + when the proc with the empty name raises a "wrong num args" error. + 2011-07-03 Donal K. Fellows <dkf@users.sf.net> * doc/FileSystem.3: Corrected statements about ctime field of 'struct diff --git a/generic/tclProc.c b/generic/tclProc.c index be35bab..abfd152 100644 --- a/generic/tclProc.c +++ b/generic/tclProc.c @@ -1155,7 +1155,7 @@ TclObjInterpProc(clientData, interp, objc, objv) len = Tcl_ScanCountedElement(procName, nameLen, &flags); if (len != nameLen) { - char *procName1 = ckalloc((unsigned) len); + char *procName1 = ckalloc((unsigned) len + 1); len = Tcl_ConvertCountedElement(procName, nameLen, procName1, flags); Tcl_AppendToObj(objResult, procName1, len); ckfree(procName1); diff --git a/tests/indexObj.test b/tests/indexObj.test index 6dd66b6..414901f 100644 --- a/tests/indexObj.test +++ b/tests/indexObj.test @@ -108,6 +108,11 @@ test indexObj-5.5 {Tcl_WrongNumArgs} { test indexObj-5.6 {Tcl_WrongNumArgs} { testwrongnumargs 2 "" mycmd foo } "wrong # args: should be \"mycmd foo\"" +# Contrast this with test proc-3.6; they have to be like this because +# of [Bug 1066837] so Itcl won't break. +test indexObj-5.7 {Tcl_WrongNumArgs} testindexobj { + testwrongnumargs 2 "fee fi" "fo fum" foo bar +} "wrong # args: should be \"fo fum foo fee fi\"" test indexObj-6.1 {Tcl_GetIndexFromObjStruct} { set x a diff --git a/tests/proc.test b/tests/proc.test index 4e28554..8974663 100644 --- a/tests/proc.test +++ b/tests/proc.test @@ -171,6 +171,11 @@ test proc-3.6 {TclObjInterpProc, proper quoting of proc name, Bug 942757} { list [catch {{a b c}} msg] $msg } {1 {wrong # args: should be "{a b c} x"}} +test proc-3.7 {TclObjInterpProc, wrong num args, Bug 3366265} { + proc {} {x} {} + list [catch {{}} msg] $msg +} {1 {wrong # args: should be "{} x"}} + catch {eval namespace delete [namespace children :: test_ns_*]} catch {rename p ""} catch {rename {} ""} |