summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authordgp <dgp@users.sourceforge.net>2009-09-29 04:43:58 (GMT)
committerdgp <dgp@users.sourceforge.net>2009-09-29 04:43:58 (GMT)
commite86bb45b55c6b47d64f14589e770f19f996aee47 (patch)
treecfb2df62951bf644dae366c44a8ebfca3ca41cb2
parent3ed3e2fa9c66c4985b02e167aca70a0cd2f346ef (diff)
downloadtcl-e86bb45b55c6b47d64f14589e770f19f996aee47.zip
tcl-e86bb45b55c6b47d64f14589e770f19f996aee47.tar.gz
tcl-e86bb45b55c6b47d64f14589e770f19f996aee47.tar.bz2
* generic/tclAlloc.c: Cleaned up various routines in the
* generic/tclCkalloc.c: call stacks for memory allocation to * generic/tclInt.h: guarantee that any size values computed * generic/tclThreadAlloc.c: are within the domains of the routines they get passed to. [Bugs 2557696 and 2557796].
-rw-r--r--ChangeLog8
-rw-r--r--generic/tclAlloc.c12
-rw-r--r--generic/tclCkalloc.c30
-rw-r--r--generic/tclInt.h13
-rwxr-xr-xgeneric/tclThreadAlloc.c30
5 files changed, 72 insertions, 21 deletions
diff --git a/ChangeLog b/ChangeLog
index 84cb6ad..0980e51 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2009-09-29 Don Porter <dgp@users.sourceforge.net>
+
+ * generic/tclAlloc.c: Cleaned up various routines in the
+ * generic/tclCkalloc.c: call stacks for memory allocation to
+ * generic/tclInt.h: guarantee that any size values computed
+ * generic/tclThreadAlloc.c: are within the domains of the routines
+ they get passed to. [Bugs 2557696 and 2557796].
+
2009-09-11 Don Porter <dgp@users.sourceforge.net>
* library/http/http.tcl: Bump to http 2.7.4 to account for
diff --git a/generic/tclAlloc.c b/generic/tclAlloc.c
index de21c7c..3df29d7 100644
--- a/generic/tclAlloc.c
+++ b/generic/tclAlloc.c
@@ -15,7 +15,7 @@
* See the file "license.terms" for information on usage and redistribution of
* this file, and for a DISCLAIMER OF ALL WARRANTIES.
*
- * RCS: @(#) $Id: tclAlloc.c,v 1.27 2007/12/17 15:28:27 msofer Exp $
+ * RCS: @(#) $Id: tclAlloc.c,v 1.27.2.1 2009/09/29 04:43:58 dgp Exp $
*/
/*
@@ -265,7 +265,7 @@ TclpAlloc(
register union overhead *overPtr;
register long bucket;
register unsigned amount;
- struct block *bigBlockPtr;
+ struct block *bigBlockPtr = NULL;
if (!allocInit) {
/*
@@ -281,9 +281,11 @@ TclpAlloc(
* First the simple case: we simple allocate big blocks directly.
*/
- if (numBytes + OVERHEAD >= MAXMALLOC) {
- bigBlockPtr = (struct block *) TclpSysAlloc((unsigned)
- (sizeof(struct block) + OVERHEAD + numBytes), 0);
+ if (numBytes >= MAXMALLOC - OVERHEAD) {
+ if (numBytes <= UINT_MAX - OVERHEAD -sizeof(struct block)) {
+ bigBlockPtr = (struct block *) TclpSysAlloc((unsigned)
+ (sizeof(struct block) + OVERHEAD + numBytes), 0);
+ }
if (bigBlockPtr == NULL) {
Tcl_MutexUnlock(allocMutexPtr);
return NULL;
diff --git a/generic/tclCkalloc.c b/generic/tclCkalloc.c
index ee259d4..a29208a 100644
--- a/generic/tclCkalloc.c
+++ b/generic/tclCkalloc.c
@@ -14,7 +14,7 @@
*
* This code contributed by Karl Lehenbauer and Mark Diekhans
*
- * RCS: @(#) $Id: tclCkalloc.c,v 1.32 2007/04/23 20:33:56 das Exp $
+ * RCS: @(#) $Id: tclCkalloc.c,v 1.32.4.1 2009/09/29 04:43:58 dgp Exp $
*/
#include "tclInt.h"
@@ -87,8 +87,8 @@ static struct mem_header *allocHead = NULL; /* List of allocated structures */
static int total_mallocs = 0;
static int total_frees = 0;
-static int current_bytes_malloced = 0;
-static int maximum_bytes_malloced = 0;
+static size_t current_bytes_malloced = 0;
+static size_t maximum_bytes_malloced = 0;
static int current_malloc_packets = 0;
static int maximum_malloc_packets = 0;
static int break_on_malloc = 0;
@@ -175,11 +175,11 @@ TclDumpMemoryInfo(
total_frees);
fprintf(outFile,"current packets allocated %10d\n",
current_malloc_packets);
- fprintf(outFile,"current bytes allocated %10d\n",
+ fprintf(outFile,"current bytes allocated %10lu\n",
current_bytes_malloced);
fprintf(outFile,"maximum packets allocated %10d\n",
maximum_malloc_packets);
- fprintf(outFile,"maximum bytes allocated %10d\n",
+ fprintf(outFile,"maximum bytes allocated %10lu\n",
maximum_bytes_malloced);
}
@@ -376,14 +376,17 @@ Tcl_DbCkalloc(
CONST char *file,
int line)
{
- struct mem_header *result;
+ struct mem_header *result = NULL;
if (validate_memory) {
Tcl_ValidateAllMemory(file, line);
}
- result = (struct mem_header *) TclpAlloc((unsigned)size +
- sizeof(struct mem_header) + HIGH_GUARD_SIZE);
+ /* Don't let size argument to TclpAlloc overflow */
+ if (size <= UINT_MAX - HIGH_GUARD_SIZE -sizeof(struct mem_header)) {
+ result = (struct mem_header *) TclpAlloc((unsigned)size +
+ sizeof(struct mem_header) + HIGH_GUARD_SIZE);
+ }
if (result == NULL) {
fflush(stdout);
TclDumpMemoryInfo(stderr);
@@ -467,14 +470,17 @@ Tcl_AttemptDbCkalloc(
CONST char *file,
int line)
{
- struct mem_header *result;
+ struct mem_header *result = NULL;
if (validate_memory) {
Tcl_ValidateAllMemory(file, line);
}
- result = (struct mem_header *) TclpAlloc((unsigned)size +
- sizeof(struct mem_header) + HIGH_GUARD_SIZE);
+ /* Don't let size argument to TclpAlloc overflow */
+ if (size <= UINT_MAX - HIGH_GUARD_SIZE - sizeof(struct mem_header)) {
+ result = (struct mem_header *) TclpAlloc((unsigned)size +
+ sizeof(struct mem_header) + HIGH_GUARD_SIZE);
+ }
if (result == NULL) {
fflush(stdout);
TclDumpMemoryInfo(stderr);
@@ -843,7 +849,7 @@ MemoryCmd(
}
if (strcmp(argv[1],"info") == 0) {
Tcl_SetObjResult(interp, Tcl_ObjPrintf(
- "%-25s %10d\n%-25s %10d\n%-25s %10d\n%-25s %10d\n%-25s %10d\n%-25s %10d\n",
+ "%-25s %10d\n%-25s %10d\n%-25s %10d\n%-25s %10lu\n%-25s %10d\n%-25s %10lu\n",
"total mallocs", total_mallocs, "total frees", total_frees,
"current packets allocated", current_malloc_packets,
"current bytes allocated", current_bytes_malloced,
diff --git a/generic/tclInt.h b/generic/tclInt.h
index b39eeb6..30c663f 100644
--- a/generic/tclInt.h
+++ b/generic/tclInt.h
@@ -13,7 +13,7 @@
* See the file "license.terms" for information on usage and redistribution of
* this file, and for a DISCLAIMER OF ALL WARRANTIES.
*
- * RCS: @(#) $Id: tclInt.h,v 1.362.2.8 2009/08/25 21:01:05 andreas_kupries Exp $
+ * RCS: @(#) $Id: tclInt.h,v 1.362.2.9 2009/09/29 04:43:58 dgp Exp $
*/
#ifndef _TCLINT
@@ -3607,10 +3607,15 @@ MODULE_SCOPE void TclDbInitNewObj(Tcl_Obj *objPtr);
*----------------------------------------------------------------
*/
+#define TCL_MAX_TOKENS (int)(UINT_MAX / sizeof(Tcl_Token))
#define TCL_MIN_TOKEN_GROWTH 50
#define TclGrowTokenArray(tokenPtr, used, available, append, staticPtr) \
{ \
int needed = (used) + (append); \
+ if (needed > TCL_MAX_TOKENS) { \
+ Tcl_Panic("max # of tokens for a Tcl parse (%d) exceeded", \
+ TCL_MAX_TOKENS); \
+ } \
if (needed > (available)) { \
int allocated = 2 * needed; \
Tcl_Token *oldPtr = (tokenPtr); \
@@ -3618,10 +3623,16 @@ MODULE_SCOPE void TclDbInitNewObj(Tcl_Obj *objPtr);
if (oldPtr == (staticPtr)) { \
oldPtr = NULL; \
} \
+ if (allocated > TCL_MAX_TOKENS) { \
+ allocated = TCL_MAX_TOKENS; \
+ } \
newPtr = (Tcl_Token *) attemptckrealloc( (char *) oldPtr, \
(unsigned int) (allocated * sizeof(Tcl_Token))); \
if (newPtr == NULL) { \
allocated = needed + (append) + TCL_MIN_TOKEN_GROWTH; \
+ if (allocated > TCL_MAX_TOKENS) { \
+ allocated = TCL_MAX_TOKENS; \
+ } \
newPtr = (Tcl_Token *) ckrealloc( (char *) oldPtr, \
(unsigned int) (allocated * sizeof(Tcl_Token))); \
} \
diff --git a/generic/tclThreadAlloc.c b/generic/tclThreadAlloc.c
index 0850d66..e32ad84 100755
--- a/generic/tclThreadAlloc.c
+++ b/generic/tclThreadAlloc.c
@@ -11,7 +11,7 @@
* See the file "license.terms" for information on usage and redistribution of
* this file, and for a DISCLAIMER OF ALL WARRANTIES.
*
- * RCS: @(#) $Id: tclThreadAlloc.c,v 1.27 2008/03/20 09:49:16 dkf Exp $
+ * RCS: @(#) $Id: tclThreadAlloc.c,v 1.27.2.1 2009/09/29 04:43:59 dgp Exp $
*/
#include "tclInt.h"
@@ -288,11 +288,23 @@ char *
TclpAlloc(
unsigned int reqSize)
{
- Cache *cachePtr = TclpGetAllocCache();
+ Cache *cachePtr;
Block *blockPtr;
register int bucket;
size_t size;
+ if (sizeof(int) >= sizeof(size_t)) {
+ /* An unsigned int overflow can also be a size_t overflow */
+ const size_t zero = 0;
+ const size_t max = ~zero;
+
+ if (((size_t) reqSize) > max - sizeof(Block) - RCHECK) {
+ /* Requested allocation exceeds memory */
+ return NULL;
+ }
+ }
+
+ cachePtr = TclpGetAllocCache();
if (cachePtr == NULL) {
cachePtr = GetCache();
}
@@ -414,7 +426,7 @@ TclpRealloc(
char *ptr,
unsigned int reqSize)
{
- Cache *cachePtr = TclpGetAllocCache();
+ Cache *cachePtr;
Block *blockPtr;
void *newPtr;
size_t size, min;
@@ -424,6 +436,18 @@ TclpRealloc(
return TclpAlloc(reqSize);
}
+ if (sizeof(int) >= sizeof(size_t)) {
+ /* An unsigned int overflow can also be a size_t overflow */
+ const size_t zero = 0;
+ const size_t max = ~zero;
+
+ if (((size_t) reqSize) > max - sizeof(Block) - RCHECK) {
+ /* Requested allocation exceeds memory */
+ return NULL;
+ }
+ }
+
+ cachePtr = TclpGetAllocCache();
if (cachePtr == NULL) {
cachePtr = GetCache();
}