summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--ChangeLog12
-rw-r--r--generic/tclBinary.c15
-rw-r--r--generic/tclInt.h4
-rw-r--r--generic/tclStringObj.c6
4 files changed, 27 insertions, 10 deletions
diff --git a/ChangeLog b/ChangeLog
index 9e418d5..8041e6e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,15 @@
+2010-04-30 Don Porter <dgp@users.sourceforge.net>
+
+ * generic/tclBinary.c (TclAppendBytesToByteArray): Add comments
+ * generic/tclInt.h (TclAppendBytesToByteArray): placing overflow
+ protection responsibility on caller. Convert "len" argument to signed
+ int which any value already vetted for overflow issues will fit into.
+ * generic/tclStringObj.c: Update caller; standardize panic msg.
+
+ * generic/tclBinary.c (UpdateStringOfByteArray): Add panic
+ when the generated string representation would grow beyond Tcl's
+ size limits. [Bug 2994924]
+
2010-04-30 Donal K. Fellows <dkf@users.sf.net>
* generic/tclBinary.c (TclAppendBytesToByteArray): Add extra armour
diff --git a/generic/tclBinary.c b/generic/tclBinary.c
index b74be98..3264a70 100644
--- a/generic/tclBinary.c
+++ b/generic/tclBinary.c
@@ -10,7 +10,7 @@
* See the file "license.terms" for information on usage and redistribution of
* this file, and for a DISCLAIMER OF ALL WARRANTIES.
*
- * RCS: @(#) $Id: tclBinary.c,v 1.63 2010/04/30 14:06:41 dkf Exp $
+ * RCS: @(#) $Id: tclBinary.c,v 1.64 2010/04/30 20:52:51 dgp Exp $
*/
#include "tclInt.h"
@@ -553,11 +553,14 @@ UpdateStringOfByteArray(
*/
size = length;
- for (i = 0; i < length; i++) {
+ for (i = 0; i < length && size >= 0; i++) {
if ((src[i] == 0) || (src[i] > 127)) {
size++;
}
}
+ if (size < 0) {
+ Tcl_Panic("max size for a Tcl value (%d bytes) exceeded", INT_MAX);
+ }
dst = (char *) ckalloc((unsigned) (size + 1));
objPtr->bytes = dst;
@@ -581,7 +584,9 @@ UpdateStringOfByteArray(
*
* This function appends an array of bytes to a byte array object. Note
* that the object *must* be unshared, and the array of bytes *must not*
- * refer to the object being appended to.
+ * refer to the object being appended to. Also the caller must have
+ * already checked that the final length of the bytearray after the
+ * append operations is complete will not overflow the int range.
*
* Results:
* None.
@@ -597,7 +602,7 @@ void
TclAppendBytesToByteArray(
Tcl_Obj *objPtr,
const unsigned char *bytes,
- unsigned len)
+ int len)
{
ByteArray *byteArrayPtr;
@@ -613,7 +618,7 @@ TclAppendBytesToByteArray(
* If we need to, resize the allocated space in the byte array.
*/
- if (byteArrayPtr->used + (int)len > byteArrayPtr->allocated) {
+ if (byteArrayPtr->used + len > byteArrayPtr->allocated) {
unsigned int attempt, used = byteArrayPtr->used;
ByteArray *tmpByteArrayPtr = NULL;
diff --git a/generic/tclInt.h b/generic/tclInt.h
index 9c5ec7f..5e37a56 100644
--- a/generic/tclInt.h
+++ b/generic/tclInt.h
@@ -15,7 +15,7 @@
* See the file "license.terms" for information on usage and redistribution of
* this file, and for a DISCLAIMER OF ALL WARRANTIES.
*
- * RCS: @(#) $Id: tclInt.h,v 1.474 2010/04/29 15:08:06 dkf Exp $
+ * RCS: @(#) $Id: tclInt.h,v 1.475 2010/04/30 20:52:51 dgp Exp $
*/
#ifndef _TCLINT
@@ -2802,7 +2802,7 @@ struct Tcl_LoadHandle_ {
*/
MODULE_SCOPE void TclAppendBytesToByteArray(Tcl_Obj *objPtr,
- const unsigned char *bytes, unsigned len);
+ const unsigned char *bytes, int len);
MODULE_SCOPE int TclNREvalCmd(Tcl_Interp *interp, Tcl_Obj *objPtr,
int flags);
MODULE_SCOPE void TclPushTailcallPoint(Tcl_Interp *interp);
diff --git a/generic/tclStringObj.c b/generic/tclStringObj.c
index e91b8a4..9e2e3aa 100644
--- a/generic/tclStringObj.c
+++ b/generic/tclStringObj.c
@@ -33,7 +33,7 @@
* See the file "license.terms" for information on usage and redistribution of
* this file, and for a DISCLAIMER OF ALL WARRANTIES.
*
- * RCS: @(#) $Id: tclStringObj.c,v 1.136 2010/04/29 15:08:07 dkf Exp $ */
+ * RCS: @(#) $Id: tclStringObj.c,v 1.137 2010/04/30 20:52:51 dgp Exp $ */
#include "tclInt.h"
#include "tommath.h"
@@ -1248,10 +1248,10 @@ Tcl_AppendObjToObj(
(void) Tcl_GetByteArrayFromObj(appendObjPtr, &lengthSrc);
lengthTotal = length + lengthSrc;
if (((length > lengthSrc) ? length : lengthSrc) > lengthTotal) {
- Tcl_Panic("overflow when calculating byte array size");
+ Tcl_Panic("max size for a Tcl value (%d bytes) exceeded", INT_MAX);
}
bytesSrc = Tcl_GetByteArrayFromObj(appendObjPtr, NULL);
- TclAppendBytesToByteArray(objPtr, bytesSrc, (unsigned) lengthSrc);
+ TclAppendBytesToByteArray(objPtr, bytesSrc, lengthSrc);
return;
}