diff options
| author | dgp <dgp@users.sourceforge.net> | 2009-08-27 19:33:24 (GMT) |
|---|---|---|
| committer | dgp <dgp@users.sourceforge.net> | 2009-08-27 19:33:24 (GMT) |
| commit | 0f464e35a0f9ebfc2060cdb7a84a22a629a662c4 (patch) | |
| tree | 0572abff10b86bec0beb74b6336b7ae435ad90b5 /generic/tclStringObj.c | |
| parent | 1f43e831d1b9917d0b7c0ee030f1d2112af36ea6 (diff) | |
| download | tcl-0f464e35a0f9ebfc2060cdb7a84a22a629a662c4.zip tcl-0f464e35a0f9ebfc2060cdb7a84a22a629a662c4.tar.gz tcl-0f464e35a0f9ebfc2060cdb7a84a22a629a662c4.tar.bz2 | |
* generic/tclStringObj.c: A few more string overflow cases in
[format]. [Bug 2845535]
Diffstat (limited to 'generic/tclStringObj.c')
| -rw-r--r-- | generic/tclStringObj.c | 16 |
1 files changed, 13 insertions, 3 deletions
diff --git a/generic/tclStringObj.c b/generic/tclStringObj.c index 6e202d5..2289659 100644 --- a/generic/tclStringObj.c +++ b/generic/tclStringObj.c @@ -33,7 +33,7 @@ * See the file "license.terms" for information on usage and redistribution of * this file, and for a DISCLAIMER OF ALL WARRANTIES. * - * RCS: @(#) $Id: tclStringObj.c,v 1.70.2.17 2009/07/31 16:56:32 dgp Exp $ */ + * RCS: @(#) $Id: tclStringObj.c,v 1.70.2.18 2009/08/27 19:33:24 dgp Exp $ */ #include "tclInt.h" #include "tommath.h" @@ -2363,6 +2363,10 @@ Tcl_AppendFormatToObj( if (gotPrecision) { *p++ = '.'; p += sprintf(p, "%d", precision); + if (precision > INT_MAX - length) { + msg=overflow; + goto errorMsg; + } length += precision; } @@ -2375,9 +2379,15 @@ Tcl_AppendFormatToObj( segment = Tcl_NewObj(); allocSegment = 1; - Tcl_SetObjLength(segment, length); + if (!Tcl_AttemptSetObjLength(segment, length)) { + msg = overflow; + goto errorMsg; + } bytes = TclGetString(segment); - Tcl_SetObjLength(segment, sprintf(bytes, spec, d)); + if (!Tcl_AttemptSetObjLength(segment, sprintf(bytes, spec, d))) { + msg = overflow; + goto errorMsg; + } break; } default: |