diff options
| author | dgp <dgp@users.sourceforge.net> | 2009-02-02 05:47:54 (GMT) |
|---|---|---|
| committer | dgp <dgp@users.sourceforge.net> | 2009-02-02 05:47:54 (GMT) |
| commit | 5d9f498e2eee76fe8198e5dd7894820ea5ea6922 (patch) | |
| tree | f06c240cb542972c35da0a24fcc81e5aa5cd8a48 | |
| parent | f2a2702d01498c67b0b9f5146c17c402ed0afabc (diff) | |
| download | tcl-5d9f498e2eee76fe8198e5dd7894820ea5ea6922.zip tcl-5d9f498e2eee76fe8198e5dd7894820ea5ea6922.tar.gz tcl-5d9f498e2eee76fe8198e5dd7894820ea5ea6922.tar.bz2 | |
* generic/tclStringObj.c (Tcl_(Attempt)SetObjLength): Added
protections against callers asking for negative lengths. It is
likely when this happens that an integer overflow is to blame.
[Bug 2553906].
| -rw-r--r-- | ChangeLog | 7 | ||||
| -rw-r--r-- | generic/tclStringObj.c | 17 |
2 files changed, 23 insertions, 1 deletions
@@ -1,3 +1,10 @@ +2009-02-02 Don Porter <dgp@users.sourceforge.net> + + * generic/tclStringObj.c (Tcl_(Attempt)SetObjLength): Added + protections against callers asking for negative lengths. It is + likely when this happens that an integer overflow is to blame. + [Bug 2553906]. + 2009-02-01 David Gravereaux <davygrvy@pobox.com> * win/makefile.vc: Allow nmake flags such as -a (rebuild diff --git a/generic/tclStringObj.c b/generic/tclStringObj.c index aebb2e9..f5ba669 100644 --- a/generic/tclStringObj.c +++ b/generic/tclStringObj.c @@ -33,7 +33,7 @@ * See the file "license.terms" for information on usage and redistribution of * this file, and for a DISCLAIMER OF ALL WARRANTIES. * - * RCS: @(#) $Id: tclStringObj.c,v 1.79 2009/01/21 21:29:05 dgp Exp $ */ + * RCS: @(#) $Id: tclStringObj.c,v 1.80 2009/02/02 05:47:54 dgp Exp $ */ #include "tclInt.h" #include "tommath.h" @@ -763,6 +763,14 @@ Tcl_SetObjLength( { String *stringPtr; + if (length < 0) { + /* + * Setting to a negative length is nonsense. This is probably the + * result of overflowing the signed integer range. + */ + Tcl_Panic( "Tcl_SetObjLength: negative length requested: " + "%d (integer overflow?)", length); + } if (Tcl_IsShared(objPtr)) { Tcl_Panic("%s called with shared object", "Tcl_SetObjLength"); } @@ -876,6 +884,13 @@ Tcl_AttemptSetObjLength( { String *stringPtr; + if (length < 0) { + /* + * Setting to a negative length is nonsense. This is probably the + * result of overflowing the signed integer range. + */ + return 0; + } if (Tcl_IsShared(objPtr)) { Tcl_Panic("%s called with shared object", "Tcl_AttemptSetObjLength"); } |