diff options
| author | dgp <dgp@users.sourceforge.net> | 2009-09-28 21:20:50 (GMT) |
|---|---|---|
| committer | dgp <dgp@users.sourceforge.net> | 2009-09-28 21:20:50 (GMT) |
| commit | 7ad9ba94f77eba7345aaf7872f5f40681d7e16a4 (patch) | |
| tree | 4bbcc35d2c98ef432ee08599ec2bd541b906a6ba /generic/tclThreadAlloc.c | |
| parent | cd55adb09ee0d5e492e024cac7a43350933b9dd3 (diff) | |
| download | tcl-7ad9ba94f77eba7345aaf7872f5f40681d7e16a4.zip tcl-7ad9ba94f77eba7345aaf7872f5f40681d7e16a4.tar.gz tcl-7ad9ba94f77eba7345aaf7872f5f40681d7e16a4.tar.bz2 | |
* generic/tclAlloc.c: Cleaned up various routines in the
* generic/tclCkalloc.c: call stacks for memory allocation to
* generic/tclParse.c: guarantee that any size values computed
* generic/tclThreadAlloc.c: are within the domains of the routines
they get passed to. [Bugs 2557696 and 2557796].
Diffstat (limited to 'generic/tclThreadAlloc.c')
| -rwxr-xr-x | generic/tclThreadAlloc.c | 30 |
1 files changed, 27 insertions, 3 deletions
diff --git a/generic/tclThreadAlloc.c b/generic/tclThreadAlloc.c index 9ff31db..f4c1e63 100755 --- a/generic/tclThreadAlloc.c +++ b/generic/tclThreadAlloc.c @@ -11,7 +11,7 @@ * See the file "license.terms" for information on usage and redistribution * of this file, and for a DISCLAIMER OF ALL WARRANTIES. * - * RCS: @(#) $Id: tclThreadAlloc.c,v 1.4.2.8 2007/06/29 03:17:33 das Exp $ + * RCS: @(#) $Id: tclThreadAlloc.c,v 1.4.2.9 2009/09/28 21:20:51 dgp Exp $ */ #include "tclInt.h" @@ -306,11 +306,23 @@ TclFreeAllocCache(void *arg) char * TclpAlloc(unsigned int reqsize) { - Cache *cachePtr = TclpGetAllocCache(); + Cache *cachePtr; Block *blockPtr; register int bucket; size_t size; + if (sizeof(int) >= sizeof(size_t)) { + /* An unsigned int overflow can also be a size_t overflow */ + const size_t zero = 0; + const size_t max = ~zero; + + if (((size_t) reqSize) > max - sizeof(Block) - RCHECK) { + /* Requested allocation exceeds memory */ + return NULL; + } + } + + cachePtr = TclpGetAllocCache(); if (cachePtr == NULL) { cachePtr = GetCache(); } @@ -429,7 +441,7 @@ TclpFree(char *ptr) char * TclpRealloc(char *ptr, unsigned int reqsize) { - Cache *cachePtr = TclpGetAllocCache(); + Cache *cachePtr; Block *blockPtr; void *new; size_t size, min; @@ -439,6 +451,18 @@ TclpRealloc(char *ptr, unsigned int reqsize) return TclpAlloc(reqsize); } + if (sizeof(int) >= sizeof(size_t)) { + /* An unsigned int overflow can also be a size_t overflow */ + const size_t zero = 0; + const size_t max = ~zero; + + if (((size_t) reqSize) > max - sizeof(Block) - RCHECK) { + /* Requested allocation exceeds memory */ + return NULL; + } + } + + cachePtr = TclpGetAllocCache(); if (cachePtr == NULL) { cachePtr = GetCache(); } |