diff options
| author | dgp <dgp@users.sourceforge.net> | 2009-08-27 19:33:24 (GMT) |
|---|---|---|
| committer | dgp <dgp@users.sourceforge.net> | 2009-08-27 19:33:24 (GMT) |
| commit | 14e37320188438c6023b68c3df2d4349c214b647 (patch) | |
| tree | 0572abff10b86bec0beb74b6336b7ae435ad90b5 /generic/tclStringObj.c | |
| parent | e7db7cb93b3463acbc2912f03a8693b8afedbac9 (diff) | |
| download | tcl-14e37320188438c6023b68c3df2d4349c214b647.zip tcl-14e37320188438c6023b68c3df2d4349c214b647.tar.gz tcl-14e37320188438c6023b68c3df2d4349c214b647.tar.bz2 | |
* generic/tclStringObj.c: A few more string overflow cases in
[format]. [Bug 2845535]
Diffstat (limited to 'generic/tclStringObj.c')
| -rw-r--r-- | generic/tclStringObj.c | 16 |
1 files changed, 13 insertions, 3 deletions
diff --git a/generic/tclStringObj.c b/generic/tclStringObj.c index 6e202d5..2289659 100644 --- a/generic/tclStringObj.c +++ b/generic/tclStringObj.c @@ -33,7 +33,7 @@ * See the file "license.terms" for information on usage and redistribution of * this file, and for a DISCLAIMER OF ALL WARRANTIES. * - * RCS: @(#) $Id: tclStringObj.c,v 1.70.2.17 2009/07/31 16:56:32 dgp Exp $ */ + * RCS: @(#) $Id: tclStringObj.c,v 1.70.2.18 2009/08/27 19:33:24 dgp Exp $ */ #include "tclInt.h" #include "tommath.h" @@ -2363,6 +2363,10 @@ Tcl_AppendFormatToObj( if (gotPrecision) { *p++ = '.'; p += sprintf(p, "%d", precision); + if (precision > INT_MAX - length) { + msg=overflow; + goto errorMsg; + } length += precision; } @@ -2375,9 +2379,15 @@ Tcl_AppendFormatToObj( segment = Tcl_NewObj(); allocSegment = 1; - Tcl_SetObjLength(segment, length); + if (!Tcl_AttemptSetObjLength(segment, length)) { + msg = overflow; + goto errorMsg; + } bytes = TclGetString(segment); - Tcl_SetObjLength(segment, sprintf(bytes, spec, d)); + if (!Tcl_AttemptSetObjLength(segment, sprintf(bytes, spec, d))) { + msg = overflow; + goto errorMsg; + } break; } default: |