diff options
| author | dkf <donal.k.fellows@manchester.ac.uk> | 2002-03-15 15:39:06 (GMT) |
|---|---|---|
| committer | dkf <donal.k.fellows@manchester.ac.uk> | 2002-03-15 15:39:06 (GMT) |
| commit | e51eaf9011544d3ccb2756c1e458cc42aeddd877 (patch) | |
| tree | 9f578d4be03050603948e19b5188a382731b945f | |
| parent | 93f80c911dda1024d86d0faf63274fa858cc60f1 (diff) | |
| download | tcl-e51eaf9011544d3ccb2756c1e458cc42aeddd877.zip tcl-e51eaf9011544d3ccb2756c1e458cc42aeddd877.tar.gz tcl-e51eaf9011544d3ccb2756c1e458cc42aeddd877.tar.bz2 | |
Fixed buffer overrun reported in 530320; luckily it is not likely to
be exploitable in any meaningful way, but crashing Tcl instead of
triggering an error still isn't good.
| -rw-r--r-- | ChangeLog | 6 | ||||
| -rw-r--r-- | generic/tclCompile.c | 7 | ||||
| -rw-r--r-- | tests/compile.test | 9 |
3 files changed, 18 insertions, 4 deletions
@@ -1,3 +1,9 @@ +2002-03-15 Donal K. Fellows <fellowsd@cs.man.ac.uk> + + * tests/compile.test (compile-12.3): Test to detect bug 530320. + * generic/tclCompile.c (TclCompileTokens): Fixed buffer overrun + reported in bug 530320. + 2002-03-14 Mo DeJong <mdejong@users.sourceforge.net> * win/configure: Regen. diff --git a/generic/tclCompile.c b/generic/tclCompile.c index 24a8693..d461309 100644 --- a/generic/tclCompile.c +++ b/generic/tclCompile.c @@ -11,7 +11,7 @@ * See the file "license.terms" for information on usage and redistribution * of this file, and for a DISCLAIMER OF ALL WARRANTIES. * - * RCS: @(#) $Id: tclCompile.c,v 1.31 2002/01/25 20:40:55 dgp Exp $ + * RCS: @(#) $Id: tclCompile.c,v 1.32 2002/03/15 15:39:06 dkf Exp $ */ #include "tclInt.h" @@ -1239,10 +1239,11 @@ TclCompileTokens(interp, tokenPtr, count, envPtr) code = TclCompileTokens(interp, tokenPtr+2, tokenPtr->numComponents-1, envPtr); if (code != TCL_OK) { - sprintf(buffer, + char errorBuffer[150]; + sprintf(errorBuffer, "\n (parsing index for array \"%.*s\")", ((nameBytes > 100)? 100 : nameBytes), name); - Tcl_AddObjErrorInfo(interp, buffer, -1); + Tcl_AddObjErrorInfo(interp, errorBuffer, -1); goto error; } if (localVar < 0) { diff --git a/tests/compile.test b/tests/compile.test index 03f8295..7086de5 100644 --- a/tests/compile.test +++ b/tests/compile.test @@ -11,7 +11,7 @@ # See the file "license.terms" for information on usage and redistribution # of this file, and for a DISCLAIMER OF ALL WARRANTIES. # -# RCS: @(#) $Id: compile.test,v 1.17 2001/12/06 10:59:17 dkf Exp $ +# RCS: @(#) $Id: compile.test,v 1.18 2002/03/15 15:39:07 dkf Exp $ if {[lsearch [namespace children] ::tcltest] == -1} { package require tcltest @@ -285,6 +285,13 @@ test compile-12.2 {testing error on literal deletion} {memDebug execCommandExist catch {::tcltest::removeFile source.file} set res } 0 +# Test to catch buffer overrun in TclCompileTokens from buf 530320 +test compile-12.3 {check for a buffer overrun} { + proc crash {} { + puts $array([expr {a+2}]) + } + list [catch crash msg] $msg +} {1 {syntax error in expression "a+2": variable references require preceding $}} # Special test for underestimating the maxStackSize required for a # compiled command. A failure will cause a segfault in the child |