diff options
| author | dgp <dgp@users.sourceforge.net> | 2009-03-20 14:43:27 (GMT) |
|---|---|---|
| committer | dgp <dgp@users.sourceforge.net> | 2009-03-20 14:43:27 (GMT) |
| commit | dfe41925f76a800c5abaaffdbe7b7676fca1430c (patch) | |
| tree | 34b18c3ec4beee28ee636efcd4ed47a391c81853 /generic | |
| parent | e6e54e79e2d7333a81f91a9525ed518f9d96a0cd (diff) | |
| download | tcl-dfe41925f76a800c5abaaffdbe7b7676fca1430c.zip tcl-dfe41925f76a800c5abaaffdbe7b7676fca1430c.tar.gz tcl-dfe41925f76a800c5abaaffdbe7b7676fca1430c.tar.bz2 | |
* generic/tclExecute.c (INST_CONCAT1): Panic when appends overflow
the max length of a Tcl value. [Bug 2669109]
Diffstat (limited to 'generic')
| -rw-r--r-- | generic/tclExecute.c | 22 |
1 files changed, 17 insertions, 5 deletions
diff --git a/generic/tclExecute.c b/generic/tclExecute.c index 49862ae..5e8b1a7 100644 --- a/generic/tclExecute.c +++ b/generic/tclExecute.c @@ -14,7 +14,7 @@ * See the file "license.terms" for information on usage and redistribution of * this file, and for a DISCLAIMER OF ALL WARRANTIES. * - * RCS: @(#) $Id: tclExecute.c,v 1.429 2009/03/19 23:31:37 msofer Exp $ + * RCS: @(#) $Id: tclExecute.c,v 1.430 2009/03/20 14:43:27 dgp Exp $ */ #include "tclInt.h" @@ -2410,16 +2410,16 @@ TclExecuteByteCode( */ if (onlyb) { - for (currPtr = &OBJ_AT_DEPTH(opnd-2); currPtr <= &OBJ_AT_TOS; - currPtr++) { + for (currPtr = &OBJ_AT_DEPTH(opnd-2); + appendLen >= 0 && currPtr <= &OBJ_AT_TOS; currPtr++) { if ((*currPtr)->bytes != tclEmptyStringRep) { Tcl_GetByteArrayFromObj(*currPtr, &length); appendLen += length; } } } else { - for (currPtr = &OBJ_AT_DEPTH(opnd-2); currPtr <= &OBJ_AT_TOS; - currPtr++) { + for (currPtr = &OBJ_AT_DEPTH(opnd-2); + appendLen >= 0 && currPtr <= &OBJ_AT_TOS; currPtr++) { bytes = TclGetStringFromObj(*currPtr, &length); if (bytes != NULL) { appendLen += length; @@ -2427,6 +2427,10 @@ TclExecuteByteCode( } } + if (appendLen < 0) { + Tcl_Panic("max size for a Tcl value (%d bytes) exceeded", INT_MAX); + } + /* * If nothing is to be appended, just return the first object by * dropping all the others from the stack; this saves both the @@ -2451,6 +2455,10 @@ TclExecuteByteCode( objResultPtr = OBJ_AT_DEPTH(opnd-1); if (!onlyb) { bytes = TclGetStringFromObj(objResultPtr, &length); + if (length + appendLen < 0) { + Tcl_Panic("max size for a Tcl value (%d bytes) exceeded", + INT_MAX); + } #if !TCL_COMPILE_DEBUG if (bytes != tclEmptyStringRep && !Tcl_IsShared(objResultPtr)) { TclFreeIntRep(objResultPtr); @@ -2483,6 +2491,10 @@ TclExecuteByteCode( *p = '\0'; } else { bytes = (char *) Tcl_GetByteArrayFromObj(objResultPtr, &length); + if (length + appendLen < 0) { + Tcl_Panic("max size for a Tcl value (%d bytes) exceeded", + INT_MAX); + } #if !TCL_COMPILE_DEBUG if (!Tcl_IsShared(objResultPtr)) { bytes = (char *) Tcl_SetByteArrayLength(objResultPtr, |