diff options
author | dkf <dkf@noemail.net> | 2010-04-30 14:06:40 (GMT) |
---|---|---|
committer | dkf <dkf@noemail.net> | 2010-04-30 14:06:40 (GMT) |
commit | 93a655ae3dc105cd7f12b8243262c476a7cb6ee1 (patch) | |
tree | 0bb8bdd3d7b50caf7f103c3f5606ff827a7b9aca /generic/tclBinary.c | |
parent | ac2386144ebb944d9319649e9b5b677e7fd7ea62 (diff) | |
download | tcl-93a655ae3dc105cd7f12b8243262c476a7cb6ee1.zip tcl-93a655ae3dc105cd7f12b8243262c476a7cb6ee1.tar.gz tcl-93a655ae3dc105cd7f12b8243262c476a7cb6ee1.tar.bz2 |
* generic/tclBinary.c (TclAppendBytesToByteArray): Add extra armour
against buffer overflows.
FossilOrigin-Name: 07af3814a9e824569ca4aff7cf325ec148faece8
Diffstat (limited to 'generic/tclBinary.c')
-rw-r--r-- | generic/tclBinary.c | 17 |
1 files changed, 11 insertions, 6 deletions
diff --git a/generic/tclBinary.c b/generic/tclBinary.c index 7bfa07a..b74be98 100644 --- a/generic/tclBinary.c +++ b/generic/tclBinary.c @@ -10,7 +10,7 @@ * See the file "license.terms" for information on usage and redistribution of * this file, and for a DISCLAIMER OF ALL WARRANTIES. * - * RCS: @(#) $Id: tclBinary.c,v 1.62 2010/04/29 15:14:33 nijtmans Exp $ + * RCS: @(#) $Id: tclBinary.c,v 1.63 2010/04/30 14:06:41 dkf Exp $ */ #include "tclInt.h" @@ -615,19 +615,24 @@ TclAppendBytesToByteArray( if (byteArrayPtr->used + (int)len > byteArrayPtr->allocated) { unsigned int attempt, used = byteArrayPtr->used; - ByteArray *tmpByteArrayPtr; + ByteArray *tmpByteArrayPtr = NULL; attempt = byteArrayPtr->allocated; do { attempt *= 2; } while (attempt < used+len); - tmpByteArrayPtr = (ByteArray *) - attemptckrealloc((char *) byteArrayPtr, - BYTEARRAY_SIZE(attempt)); + if (BYTEARRAY_SIZE(attempt) > BYTEARRAY_SIZE(used)) { + tmpByteArrayPtr = (ByteArray *) + attemptckrealloc((char *) byteArrayPtr, + BYTEARRAY_SIZE(attempt)); + } if (tmpByteArrayPtr == NULL) { attempt = used + len; + if (BYTEARRAY_SIZE(attempt) < BYTEARRAY_SIZE(used)) { + Tcl_Panic("attempt to allocate a bigger buffer than we can handle"); + } tmpByteArrayPtr = (ByteArray *) ckrealloc((char *) byteArrayPtr, BYTEARRAY_SIZE(attempt)); } @@ -1118,7 +1123,7 @@ BinaryFormatCmd( * this is safe since we aren't going to modify the array. */ - listv = (Tcl_Obj**)(objv + arg); + listv = (Tcl_Obj **) (objv + arg); listc = 1; count = 1; } else { |