diff options
| author | dgp <dgp@users.sourceforge.net> | 2017-05-05 19:10:52 (GMT) |
|---|---|---|
| committer | dgp <dgp@users.sourceforge.net> | 2017-05-05 19:10:52 (GMT) |
| commit | 509ac989d9ace73fcc8da899b7ea70fc3bd8c1d7 (patch) | |
| tree | ba64a5cb89b07e6f69ebef43632af419d24af348 | |
| parent | 2d302090fb3a5abcff4a3346629a4cadb465adc4 (diff) | |
| parent | ab808831bd7d76198dfc874049b9fd00b009646e (diff) | |
| download | tcl-509ac989d9ace73fcc8da899b7ea70fc3bd8c1d7.zip tcl-509ac989d9ace73fcc8da899b7ea70fc3bd8c1d7.tar.gz tcl-509ac989d9ace73fcc8da899b7ea70fc3bd8c1d7.tar.bz2 | |
[6015221f59] Segfault after overflow of [binary] field specifier numeric count.
| -rw-r--r-- | generic/tclBinary.c | 10 | ||||
| -rw-r--r-- | tests/binary.test | 12 |
2 files changed, 21 insertions, 1 deletions
diff --git a/generic/tclBinary.c b/generic/tclBinary.c index 981f174..2a4fd84 100644 --- a/generic/tclBinary.c +++ b/generic/tclBinary.c @@ -1653,7 +1653,15 @@ GetFormatSpec( (*formatPtr)++; *countPtr = BINARY_ALL; } else if (isdigit(UCHAR(**formatPtr))) { /* INTL: digit */ - *countPtr = strtoul(*formatPtr, (char **) formatPtr, 10); + unsigned long int count; + + errno = 0; + count = strtoul(*formatPtr, (char **) formatPtr, 10); + if (errno || (count > (unsigned long) INT_MAX)) { + *countPtr = INT_MAX; + } else { + *countPtr = (int) count; + } } else { *countPtr = BINARY_NOCOUNT; } diff --git a/tests/binary.test b/tests/binary.test index 40b1315..2a306a3 100644 --- a/tests/binary.test +++ b/tests/binary.test @@ -1506,6 +1506,18 @@ test binary-37.9 {GetFormatSpec: numbers} { binary scan $x f* bla set bla } {1.0 -1.0 2.0 -2.0 0.0} +test binary-37.10 {GetFormatSpec: count overflow} { + binary scan x a[format %ld 0x7fffffff] r +} 0 +test binary-37.11 {GetFormatSpec: count overflow} { + binary scan x a[format %ld 0x10000000] r +} 0 +test binary-37.12 {GetFormatSpec: count overflow} { + binary scan x a[format %ld 0x100000000] r +} 0 +test binary-37.13 {GetFormatSpec: count overflow} { + binary scan x a[format %lld 0x10000000000000000] r +} 0 test binary-38.1 {FormatNumber: word alignment} { set x [binary format c1s1 1 1] |