diff options
| author | dgp <dgp@users.sourceforge.net> | 2009-08-27 19:34:24 (GMT) |
|---|---|---|
| committer | dgp <dgp@users.sourceforge.net> | 2009-08-27 19:34:24 (GMT) |
| commit | c664b11f1bbac55099085e6d49731f0c023bb7d6 (patch) | |
| tree | 54c2dd256a52d9542e68fd02599b5a8e353f7c63 /generic/tclStringObj.c | |
| parent | 0dafa2ef355723cf20e2f300e00ac2ea12f52317 (diff) | |
| download | tcl-c664b11f1bbac55099085e6d49731f0c023bb7d6.zip tcl-c664b11f1bbac55099085e6d49731f0c023bb7d6.tar.gz tcl-c664b11f1bbac55099085e6d49731f0c023bb7d6.tar.bz2 | |
* generic/tclStringObj.c: A few more string overflow cases in
[format]. [Bug 2845535]
Diffstat (limited to 'generic/tclStringObj.c')
| -rw-r--r-- | generic/tclStringObj.c | 16 |
1 files changed, 13 insertions, 3 deletions
diff --git a/generic/tclStringObj.c b/generic/tclStringObj.c index 9ba62f5..8b33fe1 100644 --- a/generic/tclStringObj.c +++ b/generic/tclStringObj.c @@ -33,7 +33,7 @@ * See the file "license.terms" for information on usage and redistribution of * this file, and for a DISCLAIMER OF ALL WARRANTIES. * - * RCS: @(#) $Id: tclStringObj.c,v 1.128 2009/07/31 16:55:58 dgp Exp $ */ + * RCS: @(#) $Id: tclStringObj.c,v 1.129 2009/08/27 19:34:24 dgp Exp $ */ #include "tclInt.h" #include "tommath.h" @@ -2218,6 +2218,10 @@ Tcl_AppendFormatToObj( if (gotPrecision) { *p++ = '.'; p += sprintf(p, "%d", precision); + if (precision > INT_MAX - length) { + msg=overflow; + goto errorMsg; + } length += precision; } @@ -2230,9 +2234,15 @@ Tcl_AppendFormatToObj( segment = Tcl_NewObj(); allocSegment = 1; - Tcl_SetObjLength(segment, length); + if (!Tcl_AttemptSetObjLength(segment, length)) { + msg = overflow; + goto errorMsg; + } bytes = TclGetString(segment); - Tcl_SetObjLength(segment, sprintf(bytes, spec, d)); + if (!Tcl_AttemptSetObjLength(segment, sprintf(bytes, spec, d))) { + msg = overflow; + goto errorMsg; + } break; } default: |