summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--ChangeLog5
-rw-r--r--generic/tclExecute.c12
2 files changed, 15 insertions, 2 deletions
diff --git a/ChangeLog b/ChangeLog
index 31d8032..9b7f01b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2009-03-20 Don Porter <dgp@users.sourceforge.net>
+
+ * generic/tclExecute.c (INST_CONCAT1): Panic when appends overflow
+ the max length of a Tcl value. [Bug 2669109]
+
2009-03-18 Don Porter <dgp@users.sourceforge.net>
* win/tclWinFile.c (TclpObjNormalizePath): Corrected Tcl_Obj leak.
diff --git a/generic/tclExecute.c b/generic/tclExecute.c
index 26cfba3..3bf099e 100644
--- a/generic/tclExecute.c
+++ b/generic/tclExecute.c
@@ -13,7 +13,7 @@
* See the file "license.terms" for information on usage and redistribution of
* this file, and for a DISCLAIMER OF ALL WARRANTIES.
*
- * RCS: @(#) $Id: tclExecute.c,v 1.369.2.6 2008/12/16 22:04:00 ferrieux Exp $
+ * RCS: @(#) $Id: tclExecute.c,v 1.369.2.7 2009/03/20 14:35:06 dgp Exp $
*/
#include "tclInt.h"
@@ -2112,13 +2112,18 @@ TclExecuteByteCode(
* Compute the length to be appended.
*/
- for (currPtr=&OBJ_AT_DEPTH(opnd-2); currPtr<=&OBJ_AT_TOS; currPtr++) {
+ for (currPtr=&OBJ_AT_DEPTH(opnd-2);
+ appendLen >= 0 && currPtr<=&OBJ_AT_TOS; currPtr++) {
bytes = TclGetStringFromObj(*currPtr, &length);
if (bytes != NULL) {
appendLen += length;
}
}
+ if (appendLen < 0) {
+ Tcl_Panic("max size for a Tcl value (%d bytes) exceeded", INT_MAX);
+ }
+
/*
* If nothing is to be appended, just return the first object by
* dropping all the others from the stack; this saves both the
@@ -2142,6 +2147,9 @@ TclExecuteByteCode(
objResultPtr = OBJ_AT_DEPTH(opnd-1);
bytes = TclGetStringFromObj(objResultPtr, &length);
+ if (length + appendLen < 0) {
+ Tcl_Panic("max size for a Tcl value (%d bytes) exceeded", INT_MAX);
+ }
#if !TCL_COMPILE_DEBUG
if (bytes != tclEmptyStringRep && !Tcl_IsShared(objResultPtr)) {
TclFreeIntRep(objResultPtr);