summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authordgp <dgp@users.sourceforge.net>2009-03-20 14:43:27 (GMT)
committerdgp <dgp@users.sourceforge.net>2009-03-20 14:43:27 (GMT)
commitdfe41925f76a800c5abaaffdbe7b7676fca1430c (patch)
tree34b18c3ec4beee28ee636efcd4ed47a391c81853
parente6e54e79e2d7333a81f91a9525ed518f9d96a0cd (diff)
downloadtcl-dfe41925f76a800c5abaaffdbe7b7676fca1430c.zip
tcl-dfe41925f76a800c5abaaffdbe7b7676fca1430c.tar.gz
tcl-dfe41925f76a800c5abaaffdbe7b7676fca1430c.tar.bz2
* generic/tclExecute.c (INST_CONCAT1): Panic when appends overflow
the max length of a Tcl value. [Bug 2669109]
-rw-r--r--ChangeLog5
-rw-r--r--generic/tclExecute.c22
2 files changed, 22 insertions, 5 deletions
diff --git a/ChangeLog b/ChangeLog
index 014bcde..12d4812 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2009-03-20 Don Porter <dgp@users.sourceforge.net>
+
+ * generic/tclExecute.c (INST_CONCAT1): Panic when appends overflow
+ the max length of a Tcl value. [Bug 2669109]
+
2009-03-19 Miguel Sofer <msofer@users.sf.net>
* generic/tcl.h:
diff --git a/generic/tclExecute.c b/generic/tclExecute.c
index 49862ae..5e8b1a7 100644
--- a/generic/tclExecute.c
+++ b/generic/tclExecute.c
@@ -14,7 +14,7 @@
* See the file "license.terms" for information on usage and redistribution of
* this file, and for a DISCLAIMER OF ALL WARRANTIES.
*
- * RCS: @(#) $Id: tclExecute.c,v 1.429 2009/03/19 23:31:37 msofer Exp $
+ * RCS: @(#) $Id: tclExecute.c,v 1.430 2009/03/20 14:43:27 dgp Exp $
*/
#include "tclInt.h"
@@ -2410,16 +2410,16 @@ TclExecuteByteCode(
*/
if (onlyb) {
- for (currPtr = &OBJ_AT_DEPTH(opnd-2); currPtr <= &OBJ_AT_TOS;
- currPtr++) {
+ for (currPtr = &OBJ_AT_DEPTH(opnd-2);
+ appendLen >= 0 && currPtr <= &OBJ_AT_TOS; currPtr++) {
if ((*currPtr)->bytes != tclEmptyStringRep) {
Tcl_GetByteArrayFromObj(*currPtr, &length);
appendLen += length;
}
}
} else {
- for (currPtr = &OBJ_AT_DEPTH(opnd-2); currPtr <= &OBJ_AT_TOS;
- currPtr++) {
+ for (currPtr = &OBJ_AT_DEPTH(opnd-2);
+ appendLen >= 0 && currPtr <= &OBJ_AT_TOS; currPtr++) {
bytes = TclGetStringFromObj(*currPtr, &length);
if (bytes != NULL) {
appendLen += length;
@@ -2427,6 +2427,10 @@ TclExecuteByteCode(
}
}
+ if (appendLen < 0) {
+ Tcl_Panic("max size for a Tcl value (%d bytes) exceeded", INT_MAX);
+ }
+
/*
* If nothing is to be appended, just return the first object by
* dropping all the others from the stack; this saves both the
@@ -2451,6 +2455,10 @@ TclExecuteByteCode(
objResultPtr = OBJ_AT_DEPTH(opnd-1);
if (!onlyb) {
bytes = TclGetStringFromObj(objResultPtr, &length);
+ if (length + appendLen < 0) {
+ Tcl_Panic("max size for a Tcl value (%d bytes) exceeded",
+ INT_MAX);
+ }
#if !TCL_COMPILE_DEBUG
if (bytes != tclEmptyStringRep && !Tcl_IsShared(objResultPtr)) {
TclFreeIntRep(objResultPtr);
@@ -2483,6 +2491,10 @@ TclExecuteByteCode(
*p = '\0';
} else {
bytes = (char *) Tcl_GetByteArrayFromObj(objResultPtr, &length);
+ if (length + appendLen < 0) {
+ Tcl_Panic("max size for a Tcl value (%d bytes) exceeded",
+ INT_MAX);
+ }
#if !TCL_COMPILE_DEBUG
if (!Tcl_IsShared(objResultPtr)) {
bytes = (char *) Tcl_SetByteArrayLength(objResultPtr,