diff options
author | andreas_kupries <akupries@shaw.ca> | 2010-01-18 22:19:11 (GMT) |
---|---|---|
committer | andreas_kupries <akupries@shaw.ca> | 2010-01-18 22:19:11 (GMT) |
commit | dd8e1bd7964abd576b6ae32c876f793ae4bbaf9b (patch) | |
tree | df0ce681c5c4e6b1a808e500ca637d8609a01b6b | |
parent | 91c61162398c0ed35ad2306485e824c16fff667a (diff) | |
download | tcl-dd8e1bd7964abd576b6ae32c876f793ae4bbaf9b.zip tcl-dd8e1bd7964abd576b6ae32c876f793ae4bbaf9b.tar.gz tcl-dd8e1bd7964abd576b6ae32c876f793ae4bbaf9b.tar.bz2 |
* generic/tclIO.c (CreateScriptRecord): [Bug 2918110]: Initialize
the EventScriptRecord (esPtr) fully before handing it to
Tcl_CreateChannelHandler for registration. Otherwise a reflected
channel calling 'chan postevent' (== Tcl_NotifyChannel) in its
'watchProc' will cause the function 'TclChannelEventScriptInvoker'
to be run on an uninitialized structure.
-rw-r--r-- | ChangeLog | 9 | ||||
-rw-r--r-- | generic/tclIO.c | 29 |
2 files changed, 32 insertions, 6 deletions
@@ -1,3 +1,12 @@ +2010-01-18 Andreas Kupries <andreask@activestate.com> + + * generic/tclIO.c (CreateScriptRecord): [Bug 2918110]: Initialize + the EventScriptRecord (esPtr) fully before handing it to + Tcl_CreateChannelHandler for registration. Otherwise a reflected + channel calling 'chan postevent' (== Tcl_NotifyChannel) in its + 'watchProc' will cause the function 'TclChannelEventScriptInvoker' + to be run on an uninitialized structure. + 2010-01-18 Donal K. Fellows <dkf@users.sf.net> * generic/tclStringObj.c (Tcl_AppendFormatToObj): [Bug 2932421]: Stop diff --git a/generic/tclIO.c b/generic/tclIO.c index 3f7724b..115bf9a 100644 --- a/generic/tclIO.c +++ b/generic/tclIO.c @@ -10,7 +10,7 @@ * See the file "license.terms" for information on usage and redistribution of * this file, and for a DISCLAIMER OF ALL WARRANTIES. * - * RCS: @(#) $Id: tclIO.c,v 1.170 2009/12/09 23:26:53 andreas_kupries Exp $ + * RCS: @(#) $Id: tclIO.c,v 1.171 2010/01/18 22:19:11 andreas_kupries Exp $ */ #include "tclInt.h" @@ -8677,6 +8677,7 @@ CreateScriptRecord( ChannelState *statePtr = chanPtr->state; /* State info for channel */ EventScriptRecord *esPtr; + int makeCH; for (esPtr=statePtr->scriptRecordPtr; esPtr!=NULL; esPtr=esPtr->nextPtr) { if ((esPtr->interp == interp) && (esPtr->mask == mask)) { @@ -8685,18 +8686,34 @@ CreateScriptRecord( break; } } - if (esPtr == NULL) { + + makeCH = (esPtr == NULL); + + if (makeCH) { esPtr = (EventScriptRecord *) ckalloc(sizeof(EventScriptRecord)); - Tcl_CreateChannelHandler((Tcl_Channel) chanPtr, mask, - TclChannelEventScriptInvoker, esPtr); - esPtr->nextPtr = statePtr->scriptRecordPtr; - statePtr->scriptRecordPtr = esPtr; } + + /* + * Initialize the structure before calling Tcl_CreateChannelHandler, + * because a reflected channel caling 'chan postevent' aka + * 'Tcl_NotifyChannel' in its 'watch'Proc will invoke + * 'TclChannelEventScriptInvoker' immediately, and we do not wish it to + * see uninitialized memory and crash. See [Bug 2918110]. + */ + esPtr->chanPtr = chanPtr; esPtr->interp = interp; esPtr->mask = mask; Tcl_IncrRefCount(scriptPtr); esPtr->scriptPtr = scriptPtr; + + if (makeCH) { + esPtr->nextPtr = statePtr->scriptRecordPtr; + statePtr->scriptRecordPtr = esPtr; + + Tcl_CreateChannelHandler((Tcl_Channel) chanPtr, mask, + TclChannelEventScriptInvoker, esPtr); + } } /* |