summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--ChangeLog8
-rw-r--r--generic/tclAlloc.c12
-rw-r--r--generic/tclCkalloc.c30
-rw-r--r--generic/tclInt.h17
-rwxr-xr-xgeneric/tclThreadAlloc.c30
5 files changed, 74 insertions, 23 deletions
diff --git a/ChangeLog b/ChangeLog
index c0b5b3d..5fcf4a7 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2009-09-29 Don Porter <dgp@users.sourceforge.net>
+
+ * generic/tclAlloc.c: Cleaned up various routines in the
+ * generic/tclCkalloc.c: call stacks for memory allocation to
+ * generic/tclInt.h: guarantee that any size values computed
+ * generic/tclThreadAlloc.c: are within the domains of the routines
+ they get passed to. [Bugs 2557696 and 2557796].
+
2009-09-28 Don Porter <dgp@users.sourceforge.net>
* generic/tclCmdMZ.c: Replaced TclProcessReturn() calls with
diff --git a/generic/tclAlloc.c b/generic/tclAlloc.c
index de21c7c..04627a6 100644
--- a/generic/tclAlloc.c
+++ b/generic/tclAlloc.c
@@ -15,7 +15,7 @@
* See the file "license.terms" for information on usage and redistribution of
* this file, and for a DISCLAIMER OF ALL WARRANTIES.
*
- * RCS: @(#) $Id: tclAlloc.c,v 1.27 2007/12/17 15:28:27 msofer Exp $
+ * RCS: @(#) $Id: tclAlloc.c,v 1.28 2009/09/29 05:03:46 dgp Exp $
*/
/*
@@ -265,7 +265,7 @@ TclpAlloc(
register union overhead *overPtr;
register long bucket;
register unsigned amount;
- struct block *bigBlockPtr;
+ struct block *bigBlockPtr = NULL;
if (!allocInit) {
/*
@@ -281,9 +281,11 @@ TclpAlloc(
* First the simple case: we simple allocate big blocks directly.
*/
- if (numBytes + OVERHEAD >= MAXMALLOC) {
- bigBlockPtr = (struct block *) TclpSysAlloc((unsigned)
- (sizeof(struct block) + OVERHEAD + numBytes), 0);
+ if (numBytes >= MAXMALLOC - OVERHEAD) {
+ if (numBytes <= UINT_MAX - OVERHEAD -sizeof(struct block)) {
+ bigBlockPtr = (struct block *) TclpSysAlloc((unsigned)
+ (sizeof(struct block) + OVERHEAD + numBytes), 0);
+ }
if (bigBlockPtr == NULL) {
Tcl_MutexUnlock(allocMutexPtr);
return NULL;
diff --git a/generic/tclCkalloc.c b/generic/tclCkalloc.c
index 9a3b4e3..9d9343f 100644
--- a/generic/tclCkalloc.c
+++ b/generic/tclCkalloc.c
@@ -14,7 +14,7 @@
*
* This code contributed by Karl Lehenbauer and Mark Diekhans
*
- * RCS: @(#) $Id: tclCkalloc.c,v 1.36 2009/06/18 09:41:26 dkf Exp $
+ * RCS: @(#) $Id: tclCkalloc.c,v 1.37 2009/09/29 05:03:46 dgp Exp $
*/
#include "tclInt.h"
@@ -87,8 +87,8 @@ static struct mem_header *allocHead = NULL; /* List of allocated structures */
static int total_mallocs = 0;
static int total_frees = 0;
-static int current_bytes_malloced = 0;
-static int maximum_bytes_malloced = 0;
+static size_t current_bytes_malloced = 0;
+static size_t maximum_bytes_malloced = 0;
static int current_malloc_packets = 0;
static int maximum_malloc_packets = 0;
static int break_on_malloc = 0;
@@ -175,11 +175,11 @@ TclDumpMemoryInfo(
total_frees);
fprintf(outFile,"current packets allocated %10d\n",
current_malloc_packets);
- fprintf(outFile,"current bytes allocated %10d\n",
+ fprintf(outFile,"current bytes allocated %10lu\n",
current_bytes_malloced);
fprintf(outFile,"maximum packets allocated %10d\n",
maximum_malloc_packets);
- fprintf(outFile,"maximum bytes allocated %10d\n",
+ fprintf(outFile,"maximum bytes allocated %10lu\n",
maximum_bytes_malloced);
}
@@ -376,14 +376,17 @@ Tcl_DbCkalloc(
const char *file,
int line)
{
- struct mem_header *result;
+ struct mem_header *result = NULL;
if (validate_memory) {
Tcl_ValidateAllMemory(file, line);
}
- result = (struct mem_header *) TclpAlloc((unsigned)size +
- sizeof(struct mem_header) + HIGH_GUARD_SIZE);
+ /* Don't let size argument to TclpAlloc overflow */
+ if (size <= UINT_MAX - HIGH_GUARD_SIZE -sizeof(struct mem_header)) {
+ result = (struct mem_header *) TclpAlloc((unsigned)size +
+ sizeof(struct mem_header) + HIGH_GUARD_SIZE);
+ }
if (result == NULL) {
fflush(stdout);
TclDumpMemoryInfo(stderr);
@@ -467,14 +470,17 @@ Tcl_AttemptDbCkalloc(
const char *file,
int line)
{
- struct mem_header *result;
+ struct mem_header *result = NULL;
if (validate_memory) {
Tcl_ValidateAllMemory(file, line);
}
- result = (struct mem_header *) TclpAlloc((unsigned)size +
- sizeof(struct mem_header) + HIGH_GUARD_SIZE);
+ /* Don't let size argument to TclpAlloc overflow */
+ if (size <= UINT_MAX - HIGH_GUARD_SIZE - sizeof(struct mem_header)) {
+ result = (struct mem_header *) TclpAlloc((unsigned)size +
+ sizeof(struct mem_header) + HIGH_GUARD_SIZE);
+ }
if (result == NULL) {
fflush(stdout);
TclDumpMemoryInfo(stderr);
@@ -842,7 +848,7 @@ MemoryCmd(
}
if (strcmp(argv[1],"info") == 0) {
Tcl_SetObjResult(interp, Tcl_ObjPrintf(
- "%-25s %10d\n%-25s %10d\n%-25s %10d\n%-25s %10d\n%-25s %10d\n%-25s %10d\n",
+ "%-25s %10d\n%-25s %10d\n%-25s %10d\n%-25s %10lu\n%-25s %10d\n%-25s %10lu\n",
"total mallocs", total_mallocs, "total frees", total_frees,
"current packets allocated", current_malloc_packets,
"current bytes allocated", current_bytes_malloced,
diff --git a/generic/tclInt.h b/generic/tclInt.h
index d34be28..1d1851e 100644
--- a/generic/tclInt.h
+++ b/generic/tclInt.h
@@ -15,7 +15,7 @@
* See the file "license.terms" for information on usage and redistribution of
* this file, and for a DISCLAIMER OF ALL WARRANTIES.
*
- * RCS: @(#) $Id: tclInt.h,v 1.443 2009/09/24 17:19:18 dgp Exp $
+ * RCS: @(#) $Id: tclInt.h,v 1.444 2009/09/29 05:03:46 dgp Exp $
*/
#ifndef _TCLINT
@@ -3875,10 +3875,15 @@ MODULE_SCOPE void TclDbInitNewObj(Tcl_Obj *objPtr, const char *file,
*----------------------------------------------------------------
*/
+#define TCL_MAX_TOKENS (int)(UINT_MAX / sizeof(Tcl_Token))
#define TCL_MIN_TOKEN_GROWTH 50
#define TclGrowTokenArray(tokenPtr, used, available, append, staticPtr) \
{ \
int needed = (used) + (append); \
+ if (needed > TCL_MAX_TOKENS) { \
+ Tcl_Panic("max # of tokens for a Tcl parse (%d) exceeded", \
+ TCL_MAX_TOKENS); \
+ } \
if (needed > (available)) { \
int allocated = 2 * needed; \
Tcl_Token *oldPtr = (tokenPtr); \
@@ -3886,12 +3891,18 @@ MODULE_SCOPE void TclDbInitNewObj(Tcl_Obj *objPtr, const char *file,
if (oldPtr == (staticPtr)) { \
oldPtr = NULL; \
} \
+ if (allocated > TCL_MAX_TOKENS) { \
+ allocated = TCL_MAX_TOKENS; \
+ } \
newPtr = (Tcl_Token *) attemptckrealloc((char *) oldPtr, \
- (unsigned) (allocated * sizeof(Tcl_Token))); \
+ (unsigned int) (allocated * sizeof(Tcl_Token))); \
if (newPtr == NULL) { \
allocated = needed + (append) + TCL_MIN_TOKEN_GROWTH; \
+ if (allocated > TCL_MAX_TOKENS) { \
+ allocated = TCL_MAX_TOKENS; \
+ } \
newPtr = (Tcl_Token *) ckrealloc((char *) oldPtr, \
- (unsigned) (allocated * sizeof(Tcl_Token))); \
+ (unsigned int) (allocated * sizeof(Tcl_Token))); \
} \
(available) = allocated; \
if (oldPtr == NULL) { \
diff --git a/generic/tclThreadAlloc.c b/generic/tclThreadAlloc.c
index ba30637..a47b0d8 100755
--- a/generic/tclThreadAlloc.c
+++ b/generic/tclThreadAlloc.c
@@ -11,7 +11,7 @@
* See the file "license.terms" for information on usage and redistribution of
* this file, and for a DISCLAIMER OF ALL WARRANTIES.
*
- * RCS: @(#) $Id: tclThreadAlloc.c,v 1.29 2009/01/09 11:21:46 dkf Exp $
+ * RCS: @(#) $Id: tclThreadAlloc.c,v 1.30 2009/09/29 05:03:46 dgp Exp $
*/
#include "tclInt.h"
@@ -292,11 +292,23 @@ char *
TclpAlloc(
unsigned int reqSize)
{
- Cache *cachePtr = TclpGetAllocCache();
+ Cache *cachePtr;
Block *blockPtr;
register int bucket;
size_t size;
+ if (sizeof(int) >= sizeof(size_t)) {
+ /* An unsigned int overflow can also be a size_t overflow */
+ const size_t zero = 0;
+ const size_t max = ~zero;
+
+ if (((size_t) reqSize) > max - sizeof(Block) - RCHECK) {
+ /* Requested allocation exceeds memory */
+ return NULL;
+ }
+ }
+
+ cachePtr = TclpGetAllocCache();
if (cachePtr == NULL) {
cachePtr = GetCache();
}
@@ -418,7 +430,7 @@ TclpRealloc(
char *ptr,
unsigned int reqSize)
{
- Cache *cachePtr = TclpGetAllocCache();
+ Cache *cachePtr;
Block *blockPtr;
void *newPtr;
size_t size, min;
@@ -428,6 +440,18 @@ TclpRealloc(
return TclpAlloc(reqSize);
}
+ if (sizeof(int) >= sizeof(size_t)) {
+ /* An unsigned int overflow can also be a size_t overflow */
+ const size_t zero = 0;
+ const size_t max = ~zero;
+
+ if (((size_t) reqSize) > max - sizeof(Block) - RCHECK) {
+ /* Requested allocation exceeds memory */
+ return NULL;
+ }
+ }
+
+ cachePtr = TclpGetAllocCache();
if (cachePtr == NULL) {
cachePtr = GetCache();
}