summaryrefslogtreecommitdiffstats
path: root/generic/tclThreadAlloc.c
diff options
context:
space:
mode:
authordgp <dgp@users.sourceforge.net>2009-09-28 21:20:50 (GMT)
committerdgp <dgp@users.sourceforge.net>2009-09-28 21:20:50 (GMT)
commit7ad9ba94f77eba7345aaf7872f5f40681d7e16a4 (patch)
tree4bbcc35d2c98ef432ee08599ec2bd541b906a6ba /generic/tclThreadAlloc.c
parentcd55adb09ee0d5e492e024cac7a43350933b9dd3 (diff)
downloadtcl-7ad9ba94f77eba7345aaf7872f5f40681d7e16a4.zip
tcl-7ad9ba94f77eba7345aaf7872f5f40681d7e16a4.tar.gz
tcl-7ad9ba94f77eba7345aaf7872f5f40681d7e16a4.tar.bz2
* generic/tclAlloc.c: Cleaned up various routines in the
* generic/tclCkalloc.c: call stacks for memory allocation to * generic/tclParse.c: guarantee that any size values computed * generic/tclThreadAlloc.c: are within the domains of the routines they get passed to. [Bugs 2557696 and 2557796].
Diffstat (limited to 'generic/tclThreadAlloc.c')
-rwxr-xr-xgeneric/tclThreadAlloc.c30
1 files changed, 27 insertions, 3 deletions
diff --git a/generic/tclThreadAlloc.c b/generic/tclThreadAlloc.c
index 9ff31db..f4c1e63 100755
--- a/generic/tclThreadAlloc.c
+++ b/generic/tclThreadAlloc.c
@@ -11,7 +11,7 @@
* See the file "license.terms" for information on usage and redistribution
* of this file, and for a DISCLAIMER OF ALL WARRANTIES.
*
- * RCS: @(#) $Id: tclThreadAlloc.c,v 1.4.2.8 2007/06/29 03:17:33 das Exp $
+ * RCS: @(#) $Id: tclThreadAlloc.c,v 1.4.2.9 2009/09/28 21:20:51 dgp Exp $
*/
#include "tclInt.h"
@@ -306,11 +306,23 @@ TclFreeAllocCache(void *arg)
char *
TclpAlloc(unsigned int reqsize)
{
- Cache *cachePtr = TclpGetAllocCache();
+ Cache *cachePtr;
Block *blockPtr;
register int bucket;
size_t size;
+ if (sizeof(int) >= sizeof(size_t)) {
+ /* An unsigned int overflow can also be a size_t overflow */
+ const size_t zero = 0;
+ const size_t max = ~zero;
+
+ if (((size_t) reqSize) > max - sizeof(Block) - RCHECK) {
+ /* Requested allocation exceeds memory */
+ return NULL;
+ }
+ }
+
+ cachePtr = TclpGetAllocCache();
if (cachePtr == NULL) {
cachePtr = GetCache();
}
@@ -429,7 +441,7 @@ TclpFree(char *ptr)
char *
TclpRealloc(char *ptr, unsigned int reqsize)
{
- Cache *cachePtr = TclpGetAllocCache();
+ Cache *cachePtr;
Block *blockPtr;
void *new;
size_t size, min;
@@ -439,6 +451,18 @@ TclpRealloc(char *ptr, unsigned int reqsize)
return TclpAlloc(reqsize);
}
+ if (sizeof(int) >= sizeof(size_t)) {
+ /* An unsigned int overflow can also be a size_t overflow */
+ const size_t zero = 0;
+ const size_t max = ~zero;
+
+ if (((size_t) reqSize) > max - sizeof(Block) - RCHECK) {
+ /* Requested allocation exceeds memory */
+ return NULL;
+ }
+ }
+
+ cachePtr = TclpGetAllocCache();
if (cachePtr == NULL) {
cachePtr = GetCache();
}