closes [d051b77fc18d7340]: fixed segfault by integer overflow (if width by format like "%4000000000g" overflows to negative values by scan of length)

author: sebres <sebres@users.sourceforge.net> 2018-07-26 15:57:38 (GMT)
committer: sebres <sebres@users.sourceforge.net> 2018-07-26 15:57:38 (GMT)
commit: 7e727bed70653d181a190d921ea951707ad4078a (patch)
tree: cc3f42a2e3b7d93eb43594b81d9ca9f5098ccdd9
parent: 885a163b3c4ec29beb88d95cf6ff60687aa25223 (diff)
download: tcl-7e727bed70653d181a190d921ea951707ad4078a.zip
tcl-7e727bed70653d181a190d921ea951707ad4078a.tar.gz
tcl-7e727bed70653d181a190d921ea951707ad4078a.tar.bz2
1 files changed, 4 insertions, 0 deletions
diff --git a/generic/tclStringObj.c b/generic/tclStringObj.c
index 996be77..462ef04 100644
--- a/generic/tclStringObj.c
+++ b/generic/tclStringObj.c
@@ -1938,6 +1938,10 @@ Tcl_AppendFormatToObj(
 	width = 0;
 	if (isdigit(UCHAR(ch))) {
 	    width = strtoul(format, &end, 10);
+	    if (width < 0) {
+		msg = overflow;
+		goto errorMsg;
+	    }
 	    format = end;
 	    step = Tcl_UtfToUniChar(format, &ch);
 	} else if (ch == '*') {
author	sebres <sebres@users.sourceforge.net>	2018-07-26 15:57:38 (GMT)
committer	sebres <sebres@users.sourceforge.net>	2018-07-26 15:57:38 (GMT)
commit	7e727bed70653d181a190d921ea951707ad4078a (patch)
tree	cc3f42a2e3b7d93eb43594b81d9ca9f5098ccdd9
parent	885a163b3c4ec29beb88d95cf6ff60687aa25223 (diff)
download	tcl-7e727bed70653d181a190d921ea951707ad4078a.zip tcl-7e727bed70653d181a190d921ea951707ad4078a.tar.gz tcl-7e727bed70653d181a190d921ea951707ad4078a.tar.bz2