diff options
author | dgp <dgp@users.sourceforge.net> | 2017-05-05 19:11:33 (GMT) |
---|---|---|
committer | dgp <dgp@users.sourceforge.net> | 2017-05-05 19:11:33 (GMT) |
commit | 435fd1ab8b987021ad8a7220a1f4fc89c3a4c872 (patch) | |
tree | 69cc278dc4f56de87c60196da9f49f1092ec866b | |
parent | aa7f26cefe717461f284fb9e389ee6a613b2d970 (diff) | |
parent | 509ac989d9ace73fcc8da899b7ea70fc3bd8c1d7 (diff) | |
download | tcl-435fd1ab8b987021ad8a7220a1f4fc89c3a4c872.zip tcl-435fd1ab8b987021ad8a7220a1f4fc89c3a4c872.tar.gz tcl-435fd1ab8b987021ad8a7220a1f4fc89c3a4c872.tar.bz2 |
[6015221f59] Segfault after overflow of [binary] field specifier numeric count.
-rw-r--r-- | generic/tclBinary.c | 10 | ||||
-rw-r--r-- | tests/binary.test | 12 |
2 files changed, 21 insertions, 1 deletions
diff --git a/generic/tclBinary.c b/generic/tclBinary.c index a3e5071..72f1498 100644 --- a/generic/tclBinary.c +++ b/generic/tclBinary.c @@ -1743,7 +1743,15 @@ GetFormatSpec( (*formatPtr)++; *countPtr = BINARY_ALL; } else if (isdigit(UCHAR(**formatPtr))) { /* INTL: digit */ - *countPtr = strtoul(*formatPtr, (char **) formatPtr, 10); + unsigned long int count; + + errno = 0; + count = strtoul(*formatPtr, (char **) formatPtr, 10); + if (errno || (count > (unsigned long) INT_MAX)) { + *countPtr = INT_MAX; + } else { + *countPtr = (int) count; + } } else { *countPtr = BINARY_NOCOUNT; } diff --git a/tests/binary.test b/tests/binary.test index 7738f69..1ee815b 100644 --- a/tests/binary.test +++ b/tests/binary.test @@ -1506,6 +1506,18 @@ test binary-37.9 {GetFormatSpec: numbers} { binary scan $x f* bla set bla } {1.0 -1.0 2.0 -2.0 0.0} +test binary-37.10 {GetFormatSpec: count overflow} { + binary scan x a[format %ld 0x7fffffff] r +} 0 +test binary-37.11 {GetFormatSpec: count overflow} { + binary scan x a[format %ld 0x10000000] r +} 0 +test binary-37.12 {GetFormatSpec: count overflow} { + binary scan x a[format %ld 0x100000000] r +} 0 +test binary-37.13 {GetFormatSpec: count overflow} { + binary scan x a[format %lld 0x10000000000000000] r +} 0 test binary-38.1 {FormatNumber: word alignment} { set x [binary format c1s1 1 1] |