diff options
-rw-r--r-- | ChangeLog | 8 | ||||
-rw-r--r-- | generic/tclAlloc.c | 12 | ||||
-rw-r--r-- | generic/tclCkalloc.c | 30 | ||||
-rw-r--r-- | generic/tclInt.h | 17 | ||||
-rwxr-xr-x | generic/tclThreadAlloc.c | 30 |
5 files changed, 74 insertions, 23 deletions
@@ -1,3 +1,11 @@ +2009-09-29 Don Porter <dgp@users.sourceforge.net> + + * generic/tclAlloc.c: Cleaned up various routines in the + * generic/tclCkalloc.c: call stacks for memory allocation to + * generic/tclInt.h: guarantee that any size values computed + * generic/tclThreadAlloc.c: are within the domains of the routines + they get passed to. [Bugs 2557696 and 2557796]. + 2009-09-28 Don Porter <dgp@users.sourceforge.net> * generic/tclCmdMZ.c: Replaced TclProcessReturn() calls with diff --git a/generic/tclAlloc.c b/generic/tclAlloc.c index de21c7c..04627a6 100644 --- a/generic/tclAlloc.c +++ b/generic/tclAlloc.c @@ -15,7 +15,7 @@ * See the file "license.terms" for information on usage and redistribution of * this file, and for a DISCLAIMER OF ALL WARRANTIES. * - * RCS: @(#) $Id: tclAlloc.c,v 1.27 2007/12/17 15:28:27 msofer Exp $ + * RCS: @(#) $Id: tclAlloc.c,v 1.28 2009/09/29 05:03:46 dgp Exp $ */ /* @@ -265,7 +265,7 @@ TclpAlloc( register union overhead *overPtr; register long bucket; register unsigned amount; - struct block *bigBlockPtr; + struct block *bigBlockPtr = NULL; if (!allocInit) { /* @@ -281,9 +281,11 @@ TclpAlloc( * First the simple case: we simple allocate big blocks directly. */ - if (numBytes + OVERHEAD >= MAXMALLOC) { - bigBlockPtr = (struct block *) TclpSysAlloc((unsigned) - (sizeof(struct block) + OVERHEAD + numBytes), 0); + if (numBytes >= MAXMALLOC - OVERHEAD) { + if (numBytes <= UINT_MAX - OVERHEAD -sizeof(struct block)) { + bigBlockPtr = (struct block *) TclpSysAlloc((unsigned) + (sizeof(struct block) + OVERHEAD + numBytes), 0); + } if (bigBlockPtr == NULL) { Tcl_MutexUnlock(allocMutexPtr); return NULL; diff --git a/generic/tclCkalloc.c b/generic/tclCkalloc.c index 9a3b4e3..9d9343f 100644 --- a/generic/tclCkalloc.c +++ b/generic/tclCkalloc.c @@ -14,7 +14,7 @@ * * This code contributed by Karl Lehenbauer and Mark Diekhans * - * RCS: @(#) $Id: tclCkalloc.c,v 1.36 2009/06/18 09:41:26 dkf Exp $ + * RCS: @(#) $Id: tclCkalloc.c,v 1.37 2009/09/29 05:03:46 dgp Exp $ */ #include "tclInt.h" @@ -87,8 +87,8 @@ static struct mem_header *allocHead = NULL; /* List of allocated structures */ static int total_mallocs = 0; static int total_frees = 0; -static int current_bytes_malloced = 0; -static int maximum_bytes_malloced = 0; +static size_t current_bytes_malloced = 0; +static size_t maximum_bytes_malloced = 0; static int current_malloc_packets = 0; static int maximum_malloc_packets = 0; static int break_on_malloc = 0; @@ -175,11 +175,11 @@ TclDumpMemoryInfo( total_frees); fprintf(outFile,"current packets allocated %10d\n", current_malloc_packets); - fprintf(outFile,"current bytes allocated %10d\n", + fprintf(outFile,"current bytes allocated %10lu\n", current_bytes_malloced); fprintf(outFile,"maximum packets allocated %10d\n", maximum_malloc_packets); - fprintf(outFile,"maximum bytes allocated %10d\n", + fprintf(outFile,"maximum bytes allocated %10lu\n", maximum_bytes_malloced); } @@ -376,14 +376,17 @@ Tcl_DbCkalloc( const char *file, int line) { - struct mem_header *result; + struct mem_header *result = NULL; if (validate_memory) { Tcl_ValidateAllMemory(file, line); } - result = (struct mem_header *) TclpAlloc((unsigned)size + - sizeof(struct mem_header) + HIGH_GUARD_SIZE); + /* Don't let size argument to TclpAlloc overflow */ + if (size <= UINT_MAX - HIGH_GUARD_SIZE -sizeof(struct mem_header)) { + result = (struct mem_header *) TclpAlloc((unsigned)size + + sizeof(struct mem_header) + HIGH_GUARD_SIZE); + } if (result == NULL) { fflush(stdout); TclDumpMemoryInfo(stderr); @@ -467,14 +470,17 @@ Tcl_AttemptDbCkalloc( const char *file, int line) { - struct mem_header *result; + struct mem_header *result = NULL; if (validate_memory) { Tcl_ValidateAllMemory(file, line); } - result = (struct mem_header *) TclpAlloc((unsigned)size + - sizeof(struct mem_header) + HIGH_GUARD_SIZE); + /* Don't let size argument to TclpAlloc overflow */ + if (size <= UINT_MAX - HIGH_GUARD_SIZE - sizeof(struct mem_header)) { + result = (struct mem_header *) TclpAlloc((unsigned)size + + sizeof(struct mem_header) + HIGH_GUARD_SIZE); + } if (result == NULL) { fflush(stdout); TclDumpMemoryInfo(stderr); @@ -842,7 +848,7 @@ MemoryCmd( } if (strcmp(argv[1],"info") == 0) { Tcl_SetObjResult(interp, Tcl_ObjPrintf( - "%-25s %10d\n%-25s %10d\n%-25s %10d\n%-25s %10d\n%-25s %10d\n%-25s %10d\n", + "%-25s %10d\n%-25s %10d\n%-25s %10d\n%-25s %10lu\n%-25s %10d\n%-25s %10lu\n", "total mallocs", total_mallocs, "total frees", total_frees, "current packets allocated", current_malloc_packets, "current bytes allocated", current_bytes_malloced, diff --git a/generic/tclInt.h b/generic/tclInt.h index d34be28..1d1851e 100644 --- a/generic/tclInt.h +++ b/generic/tclInt.h @@ -15,7 +15,7 @@ * See the file "license.terms" for information on usage and redistribution of * this file, and for a DISCLAIMER OF ALL WARRANTIES. * - * RCS: @(#) $Id: tclInt.h,v 1.443 2009/09/24 17:19:18 dgp Exp $ + * RCS: @(#) $Id: tclInt.h,v 1.444 2009/09/29 05:03:46 dgp Exp $ */ #ifndef _TCLINT @@ -3875,10 +3875,15 @@ MODULE_SCOPE void TclDbInitNewObj(Tcl_Obj *objPtr, const char *file, *---------------------------------------------------------------- */ +#define TCL_MAX_TOKENS (int)(UINT_MAX / sizeof(Tcl_Token)) #define TCL_MIN_TOKEN_GROWTH 50 #define TclGrowTokenArray(tokenPtr, used, available, append, staticPtr) \ { \ int needed = (used) + (append); \ + if (needed > TCL_MAX_TOKENS) { \ + Tcl_Panic("max # of tokens for a Tcl parse (%d) exceeded", \ + TCL_MAX_TOKENS); \ + } \ if (needed > (available)) { \ int allocated = 2 * needed; \ Tcl_Token *oldPtr = (tokenPtr); \ @@ -3886,12 +3891,18 @@ MODULE_SCOPE void TclDbInitNewObj(Tcl_Obj *objPtr, const char *file, if (oldPtr == (staticPtr)) { \ oldPtr = NULL; \ } \ + if (allocated > TCL_MAX_TOKENS) { \ + allocated = TCL_MAX_TOKENS; \ + } \ newPtr = (Tcl_Token *) attemptckrealloc((char *) oldPtr, \ - (unsigned) (allocated * sizeof(Tcl_Token))); \ + (unsigned int) (allocated * sizeof(Tcl_Token))); \ if (newPtr == NULL) { \ allocated = needed + (append) + TCL_MIN_TOKEN_GROWTH; \ + if (allocated > TCL_MAX_TOKENS) { \ + allocated = TCL_MAX_TOKENS; \ + } \ newPtr = (Tcl_Token *) ckrealloc((char *) oldPtr, \ - (unsigned) (allocated * sizeof(Tcl_Token))); \ + (unsigned int) (allocated * sizeof(Tcl_Token))); \ } \ (available) = allocated; \ if (oldPtr == NULL) { \ diff --git a/generic/tclThreadAlloc.c b/generic/tclThreadAlloc.c index ba30637..a47b0d8 100755 --- a/generic/tclThreadAlloc.c +++ b/generic/tclThreadAlloc.c @@ -11,7 +11,7 @@ * See the file "license.terms" for information on usage and redistribution of * this file, and for a DISCLAIMER OF ALL WARRANTIES. * - * RCS: @(#) $Id: tclThreadAlloc.c,v 1.29 2009/01/09 11:21:46 dkf Exp $ + * RCS: @(#) $Id: tclThreadAlloc.c,v 1.30 2009/09/29 05:03:46 dgp Exp $ */ #include "tclInt.h" @@ -292,11 +292,23 @@ char * TclpAlloc( unsigned int reqSize) { - Cache *cachePtr = TclpGetAllocCache(); + Cache *cachePtr; Block *blockPtr; register int bucket; size_t size; + if (sizeof(int) >= sizeof(size_t)) { + /* An unsigned int overflow can also be a size_t overflow */ + const size_t zero = 0; + const size_t max = ~zero; + + if (((size_t) reqSize) > max - sizeof(Block) - RCHECK) { + /* Requested allocation exceeds memory */ + return NULL; + } + } + + cachePtr = TclpGetAllocCache(); if (cachePtr == NULL) { cachePtr = GetCache(); } @@ -418,7 +430,7 @@ TclpRealloc( char *ptr, unsigned int reqSize) { - Cache *cachePtr = TclpGetAllocCache(); + Cache *cachePtr; Block *blockPtr; void *newPtr; size_t size, min; @@ -428,6 +440,18 @@ TclpRealloc( return TclpAlloc(reqSize); } + if (sizeof(int) >= sizeof(size_t)) { + /* An unsigned int overflow can also be a size_t overflow */ + const size_t zero = 0; + const size_t max = ~zero; + + if (((size_t) reqSize) > max - sizeof(Block) - RCHECK) { + /* Requested allocation exceeds memory */ + return NULL; + } + } + + cachePtr = TclpGetAllocCache(); if (cachePtr == NULL) { cachePtr = GetCache(); } |