diff options
| author | dgp <dgp@users.sourceforge.net> | 2010-04-30 20:52:51 (GMT) |
|---|---|---|
| committer | dgp <dgp@users.sourceforge.net> | 2010-04-30 20:52:51 (GMT) |
| commit | fc29863f3fe1e359b0a7727e0b8a46d7b5cef69e (patch) | |
| tree | 1e6f657a3753fec35f1cec4796c310ee5a4cc91a /generic/tclBinary.c | |
| parent | 312f44ead9b03addb227c8fb0ee54ba9310a8032 (diff) | |
| download | tcl-fc29863f3fe1e359b0a7727e0b8a46d7b5cef69e.zip tcl-fc29863f3fe1e359b0a7727e0b8a46d7b5cef69e.tar.gz tcl-fc29863f3fe1e359b0a7727e0b8a46d7b5cef69e.tar.bz2 | |
* generic/tclBinary.c (TclAppendBytesToByteArray): Add comments
* generic/tclInt.h (TclAppendBytesToByteArray): placing overflow
protection responsibility on caller. Convert "len" argument to signed
int which any value already vetted for overflow issues will fit into.
* generic/tclStringObj.c: Update caller; standardize panic msg.
* generic/tclBinary.c (UpdateStringOfByteArray): Add panic
when the generated string representation would grow beyond Tcl's
size limits. [Bug 2994924]
Diffstat (limited to 'generic/tclBinary.c')
| -rw-r--r-- | generic/tclBinary.c | 15 |
1 files changed, 10 insertions, 5 deletions
diff --git a/generic/tclBinary.c b/generic/tclBinary.c index b74be98..3264a70 100644 --- a/generic/tclBinary.c +++ b/generic/tclBinary.c @@ -10,7 +10,7 @@ * See the file "license.terms" for information on usage and redistribution of * this file, and for a DISCLAIMER OF ALL WARRANTIES. * - * RCS: @(#) $Id: tclBinary.c,v 1.63 2010/04/30 14:06:41 dkf Exp $ + * RCS: @(#) $Id: tclBinary.c,v 1.64 2010/04/30 20:52:51 dgp Exp $ */ #include "tclInt.h" @@ -553,11 +553,14 @@ UpdateStringOfByteArray( */ size = length; - for (i = 0; i < length; i++) { + for (i = 0; i < length && size >= 0; i++) { if ((src[i] == 0) || (src[i] > 127)) { size++; } } + if (size < 0) { + Tcl_Panic("max size for a Tcl value (%d bytes) exceeded", INT_MAX); + } dst = (char *) ckalloc((unsigned) (size + 1)); objPtr->bytes = dst; @@ -581,7 +584,9 @@ UpdateStringOfByteArray( * * This function appends an array of bytes to a byte array object. Note * that the object *must* be unshared, and the array of bytes *must not* - * refer to the object being appended to. + * refer to the object being appended to. Also the caller must have + * already checked that the final length of the bytearray after the + * append operations is complete will not overflow the int range. * * Results: * None. @@ -597,7 +602,7 @@ void TclAppendBytesToByteArray( Tcl_Obj *objPtr, const unsigned char *bytes, - unsigned len) + int len) { ByteArray *byteArrayPtr; @@ -613,7 +618,7 @@ TclAppendBytesToByteArray( * If we need to, resize the allocated space in the byte array. */ - if (byteArrayPtr->used + (int)len > byteArrayPtr->allocated) { + if (byteArrayPtr->used + len > byteArrayPtr->allocated) { unsigned int attempt, used = byteArrayPtr->used; ByteArray *tmpByteArrayPtr = NULL; |