diff options
-rw-r--r-- | ChangeLog | 5 | ||||
-rw-r--r-- | generic/tclExecute.c | 12 |
2 files changed, 15 insertions, 2 deletions
@@ -1,3 +1,8 @@ +2009-03-20 Don Porter <dgp@users.sourceforge.net> + + * generic/tclExecute.c (INST_CONCAT1): Panic when appends overflow + the max length of a Tcl value. [Bug 2669109] + 2009-03-18 Don Porter <dgp@users.sourceforge.net> * win/tclWinFile.c (TclpObjNormalizePath): Corrected Tcl_Obj leak. diff --git a/generic/tclExecute.c b/generic/tclExecute.c index 26cfba3..3bf099e 100644 --- a/generic/tclExecute.c +++ b/generic/tclExecute.c @@ -13,7 +13,7 @@ * See the file "license.terms" for information on usage and redistribution of * this file, and for a DISCLAIMER OF ALL WARRANTIES. * - * RCS: @(#) $Id: tclExecute.c,v 1.369.2.6 2008/12/16 22:04:00 ferrieux Exp $ + * RCS: @(#) $Id: tclExecute.c,v 1.369.2.7 2009/03/20 14:35:06 dgp Exp $ */ #include "tclInt.h" @@ -2112,13 +2112,18 @@ TclExecuteByteCode( * Compute the length to be appended. */ - for (currPtr=&OBJ_AT_DEPTH(opnd-2); currPtr<=&OBJ_AT_TOS; currPtr++) { + for (currPtr=&OBJ_AT_DEPTH(opnd-2); + appendLen >= 0 && currPtr<=&OBJ_AT_TOS; currPtr++) { bytes = TclGetStringFromObj(*currPtr, &length); if (bytes != NULL) { appendLen += length; } } + if (appendLen < 0) { + Tcl_Panic("max size for a Tcl value (%d bytes) exceeded", INT_MAX); + } + /* * If nothing is to be appended, just return the first object by * dropping all the others from the stack; this saves both the @@ -2142,6 +2147,9 @@ TclExecuteByteCode( objResultPtr = OBJ_AT_DEPTH(opnd-1); bytes = TclGetStringFromObj(objResultPtr, &length); + if (length + appendLen < 0) { + Tcl_Panic("max size for a Tcl value (%d bytes) exceeded", INT_MAX); + } #if !TCL_COMPILE_DEBUG if (bytes != tclEmptyStringRep && !Tcl_IsShared(objResultPtr)) { TclFreeIntRep(objResultPtr); |