summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--ChangeLog9
-rw-r--r--generic/tclIO.c29
2 files changed, 32 insertions, 6 deletions
diff --git a/ChangeLog b/ChangeLog
index 6f1e8db..ba8850b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,12 @@
+2010-01-18 Andreas Kupries <andreask@activestate.com>
+
+ * generic/tclIO.c (CreateScriptRecord): [Bug 2918110]: Initialize
+ the EventScriptRecord (esPtr) fully before handing it to
+ Tcl_CreateChannelHandler for registration. Otherwise a reflected
+ channel calling 'chan postevent' (== Tcl_NotifyChannel) in its
+ 'watchProc' will cause the function 'TclChannelEventScriptInvoker'
+ to be run on an uninitialized structure.
+
2010-01-18 Donal K. Fellows <dkf@users.sf.net>
* generic/tclStringObj.c (Tcl_AppendFormatToObj): [Bug 2932421]: Stop
diff --git a/generic/tclIO.c b/generic/tclIO.c
index 3f7724b..115bf9a 100644
--- a/generic/tclIO.c
+++ b/generic/tclIO.c
@@ -10,7 +10,7 @@
* See the file "license.terms" for information on usage and redistribution of
* this file, and for a DISCLAIMER OF ALL WARRANTIES.
*
- * RCS: @(#) $Id: tclIO.c,v 1.170 2009/12/09 23:26:53 andreas_kupries Exp $
+ * RCS: @(#) $Id: tclIO.c,v 1.171 2010/01/18 22:19:11 andreas_kupries Exp $
*/
#include "tclInt.h"
@@ -8677,6 +8677,7 @@ CreateScriptRecord(
ChannelState *statePtr = chanPtr->state;
/* State info for channel */
EventScriptRecord *esPtr;
+ int makeCH;
for (esPtr=statePtr->scriptRecordPtr; esPtr!=NULL; esPtr=esPtr->nextPtr) {
if ((esPtr->interp == interp) && (esPtr->mask == mask)) {
@@ -8685,18 +8686,34 @@ CreateScriptRecord(
break;
}
}
- if (esPtr == NULL) {
+
+ makeCH = (esPtr == NULL);
+
+ if (makeCH) {
esPtr = (EventScriptRecord *) ckalloc(sizeof(EventScriptRecord));
- Tcl_CreateChannelHandler((Tcl_Channel) chanPtr, mask,
- TclChannelEventScriptInvoker, esPtr);
- esPtr->nextPtr = statePtr->scriptRecordPtr;
- statePtr->scriptRecordPtr = esPtr;
}
+
+ /*
+ * Initialize the structure before calling Tcl_CreateChannelHandler,
+ * because a reflected channel caling 'chan postevent' aka
+ * 'Tcl_NotifyChannel' in its 'watch'Proc will invoke
+ * 'TclChannelEventScriptInvoker' immediately, and we do not wish it to
+ * see uninitialized memory and crash. See [Bug 2918110].
+ */
+
esPtr->chanPtr = chanPtr;
esPtr->interp = interp;
esPtr->mask = mask;
Tcl_IncrRefCount(scriptPtr);
esPtr->scriptPtr = scriptPtr;
+
+ if (makeCH) {
+ esPtr->nextPtr = statePtr->scriptRecordPtr;
+ statePtr->scriptRecordPtr = esPtr;
+
+ Tcl_CreateChannelHandler((Tcl_Channel) chanPtr, mask,
+ TclChannelEventScriptInvoker, esPtr);
+ }
}
/*