diff options
| author | dkf <donal.k.fellows@manchester.ac.uk> | 2010-04-30 14:06:40 (GMT) |
|---|---|---|
| committer | dkf <donal.k.fellows@manchester.ac.uk> | 2010-04-30 14:06:40 (GMT) |
| commit | 312f44ead9b03addb227c8fb0ee54ba9310a8032 (patch) | |
| tree | 0bb8bdd3d7b50caf7f103c3f5606ff827a7b9aca | |
| parent | d2d4b3a013a2e128e8f977d132e913770c62db64 (diff) | |
| download | tcl-312f44ead9b03addb227c8fb0ee54ba9310a8032.zip tcl-312f44ead9b03addb227c8fb0ee54ba9310a8032.tar.gz tcl-312f44ead9b03addb227c8fb0ee54ba9310a8032.tar.bz2 | |
* generic/tclBinary.c (TclAppendBytesToByteArray): Add extra armour
against buffer overflows.
| -rw-r--r-- | ChangeLog | 3 | ||||
| -rw-r--r-- | generic/tclBinary.c | 17 |
2 files changed, 14 insertions, 6 deletions
@@ -1,5 +1,8 @@ 2010-04-30 Donal K. Fellows <dkf@users.sf.net> + * generic/tclBinary.c (TclAppendBytesToByteArray): Add extra armour + against buffer overflows. + * generic/tclBasic.c (NRInterpCoroutine): Corrected handling of * tests/coroutine.test (coroutine-6.4): arguments to deal with trickier cases. diff --git a/generic/tclBinary.c b/generic/tclBinary.c index 7bfa07a..b74be98 100644 --- a/generic/tclBinary.c +++ b/generic/tclBinary.c @@ -10,7 +10,7 @@ * See the file "license.terms" for information on usage and redistribution of * this file, and for a DISCLAIMER OF ALL WARRANTIES. * - * RCS: @(#) $Id: tclBinary.c,v 1.62 2010/04/29 15:14:33 nijtmans Exp $ + * RCS: @(#) $Id: tclBinary.c,v 1.63 2010/04/30 14:06:41 dkf Exp $ */ #include "tclInt.h" @@ -615,19 +615,24 @@ TclAppendBytesToByteArray( if (byteArrayPtr->used + (int)len > byteArrayPtr->allocated) { unsigned int attempt, used = byteArrayPtr->used; - ByteArray *tmpByteArrayPtr; + ByteArray *tmpByteArrayPtr = NULL; attempt = byteArrayPtr->allocated; do { attempt *= 2; } while (attempt < used+len); - tmpByteArrayPtr = (ByteArray *) - attemptckrealloc((char *) byteArrayPtr, - BYTEARRAY_SIZE(attempt)); + if (BYTEARRAY_SIZE(attempt) > BYTEARRAY_SIZE(used)) { + tmpByteArrayPtr = (ByteArray *) + attemptckrealloc((char *) byteArrayPtr, + BYTEARRAY_SIZE(attempt)); + } if (tmpByteArrayPtr == NULL) { attempt = used + len; + if (BYTEARRAY_SIZE(attempt) < BYTEARRAY_SIZE(used)) { + Tcl_Panic("attempt to allocate a bigger buffer than we can handle"); + } tmpByteArrayPtr = (ByteArray *) ckrealloc((char *) byteArrayPtr, BYTEARRAY_SIZE(attempt)); } @@ -1118,7 +1123,7 @@ BinaryFormatCmd( * this is safe since we aren't going to modify the array. */ - listv = (Tcl_Obj**)(objv + arg); + listv = (Tcl_Obj **) (objv + arg); listc = 1; count = 1; } else { |