From e86bb45b55c6b47d64f14589e770f19f996aee47 Mon Sep 17 00:00:00 2001 From: dgp Date: Tue, 29 Sep 2009 04:43:58 +0000 Subject: * generic/tclAlloc.c: Cleaned up various routines in the * generic/tclCkalloc.c: call stacks for memory allocation to * generic/tclInt.h: guarantee that any size values computed * generic/tclThreadAlloc.c: are within the domains of the routines they get passed to. [Bugs 2557696 and 2557796]. --- ChangeLog | 8 ++++++++ generic/tclAlloc.c | 12 +++++++----- generic/tclCkalloc.c | 30 ++++++++++++++++++------------ generic/tclInt.h | 13 ++++++++++++- generic/tclThreadAlloc.c | 30 +++++++++++++++++++++++++++--- 5 files changed, 72 insertions(+), 21 deletions(-) diff --git a/ChangeLog b/ChangeLog index 84cb6ad..0980e51 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,11 @@ +2009-09-29 Don Porter + + * generic/tclAlloc.c: Cleaned up various routines in the + * generic/tclCkalloc.c: call stacks for memory allocation to + * generic/tclInt.h: guarantee that any size values computed + * generic/tclThreadAlloc.c: are within the domains of the routines + they get passed to. [Bugs 2557696 and 2557796]. + 2009-09-11 Don Porter * library/http/http.tcl: Bump to http 2.7.4 to account for diff --git a/generic/tclAlloc.c b/generic/tclAlloc.c index de21c7c..3df29d7 100644 --- a/generic/tclAlloc.c +++ b/generic/tclAlloc.c @@ -15,7 +15,7 @@ * See the file "license.terms" for information on usage and redistribution of * this file, and for a DISCLAIMER OF ALL WARRANTIES. * - * RCS: @(#) $Id: tclAlloc.c,v 1.27 2007/12/17 15:28:27 msofer Exp $ + * RCS: @(#) $Id: tclAlloc.c,v 1.27.2.1 2009/09/29 04:43:58 dgp Exp $ */ /* @@ -265,7 +265,7 @@ TclpAlloc( register union overhead *overPtr; register long bucket; register unsigned amount; - struct block *bigBlockPtr; + struct block *bigBlockPtr = NULL; if (!allocInit) { /* @@ -281,9 +281,11 @@ TclpAlloc( * First the simple case: we simple allocate big blocks directly. */ - if (numBytes + OVERHEAD >= MAXMALLOC) { - bigBlockPtr = (struct block *) TclpSysAlloc((unsigned) - (sizeof(struct block) + OVERHEAD + numBytes), 0); + if (numBytes >= MAXMALLOC - OVERHEAD) { + if (numBytes <= UINT_MAX - OVERHEAD -sizeof(struct block)) { + bigBlockPtr = (struct block *) TclpSysAlloc((unsigned) + (sizeof(struct block) + OVERHEAD + numBytes), 0); + } if (bigBlockPtr == NULL) { Tcl_MutexUnlock(allocMutexPtr); return NULL; diff --git a/generic/tclCkalloc.c b/generic/tclCkalloc.c index ee259d4..a29208a 100644 --- a/generic/tclCkalloc.c +++ b/generic/tclCkalloc.c @@ -14,7 +14,7 @@ * * This code contributed by Karl Lehenbauer and Mark Diekhans * - * RCS: @(#) $Id: tclCkalloc.c,v 1.32 2007/04/23 20:33:56 das Exp $ + * RCS: @(#) $Id: tclCkalloc.c,v 1.32.4.1 2009/09/29 04:43:58 dgp Exp $ */ #include "tclInt.h" @@ -87,8 +87,8 @@ static struct mem_header *allocHead = NULL; /* List of allocated structures */ static int total_mallocs = 0; static int total_frees = 0; -static int current_bytes_malloced = 0; -static int maximum_bytes_malloced = 0; +static size_t current_bytes_malloced = 0; +static size_t maximum_bytes_malloced = 0; static int current_malloc_packets = 0; static int maximum_malloc_packets = 0; static int break_on_malloc = 0; @@ -175,11 +175,11 @@ TclDumpMemoryInfo( total_frees); fprintf(outFile,"current packets allocated %10d\n", current_malloc_packets); - fprintf(outFile,"current bytes allocated %10d\n", + fprintf(outFile,"current bytes allocated %10lu\n", current_bytes_malloced); fprintf(outFile,"maximum packets allocated %10d\n", maximum_malloc_packets); - fprintf(outFile,"maximum bytes allocated %10d\n", + fprintf(outFile,"maximum bytes allocated %10lu\n", maximum_bytes_malloced); } @@ -376,14 +376,17 @@ Tcl_DbCkalloc( CONST char *file, int line) { - struct mem_header *result; + struct mem_header *result = NULL; if (validate_memory) { Tcl_ValidateAllMemory(file, line); } - result = (struct mem_header *) TclpAlloc((unsigned)size + - sizeof(struct mem_header) + HIGH_GUARD_SIZE); + /* Don't let size argument to TclpAlloc overflow */ + if (size <= UINT_MAX - HIGH_GUARD_SIZE -sizeof(struct mem_header)) { + result = (struct mem_header *) TclpAlloc((unsigned)size + + sizeof(struct mem_header) + HIGH_GUARD_SIZE); + } if (result == NULL) { fflush(stdout); TclDumpMemoryInfo(stderr); @@ -467,14 +470,17 @@ Tcl_AttemptDbCkalloc( CONST char *file, int line) { - struct mem_header *result; + struct mem_header *result = NULL; if (validate_memory) { Tcl_ValidateAllMemory(file, line); } - result = (struct mem_header *) TclpAlloc((unsigned)size + - sizeof(struct mem_header) + HIGH_GUARD_SIZE); + /* Don't let size argument to TclpAlloc overflow */ + if (size <= UINT_MAX - HIGH_GUARD_SIZE - sizeof(struct mem_header)) { + result = (struct mem_header *) TclpAlloc((unsigned)size + + sizeof(struct mem_header) + HIGH_GUARD_SIZE); + } if (result == NULL) { fflush(stdout); TclDumpMemoryInfo(stderr); @@ -843,7 +849,7 @@ MemoryCmd( } if (strcmp(argv[1],"info") == 0) { Tcl_SetObjResult(interp, Tcl_ObjPrintf( - "%-25s %10d\n%-25s %10d\n%-25s %10d\n%-25s %10d\n%-25s %10d\n%-25s %10d\n", + "%-25s %10d\n%-25s %10d\n%-25s %10d\n%-25s %10lu\n%-25s %10d\n%-25s %10lu\n", "total mallocs", total_mallocs, "total frees", total_frees, "current packets allocated", current_malloc_packets, "current bytes allocated", current_bytes_malloced, diff --git a/generic/tclInt.h b/generic/tclInt.h index b39eeb6..30c663f 100644 --- a/generic/tclInt.h +++ b/generic/tclInt.h @@ -13,7 +13,7 @@ * See the file "license.terms" for information on usage and redistribution of * this file, and for a DISCLAIMER OF ALL WARRANTIES. * - * RCS: @(#) $Id: tclInt.h,v 1.362.2.8 2009/08/25 21:01:05 andreas_kupries Exp $ + * RCS: @(#) $Id: tclInt.h,v 1.362.2.9 2009/09/29 04:43:58 dgp Exp $ */ #ifndef _TCLINT @@ -3607,10 +3607,15 @@ MODULE_SCOPE void TclDbInitNewObj(Tcl_Obj *objPtr); *---------------------------------------------------------------- */ +#define TCL_MAX_TOKENS (int)(UINT_MAX / sizeof(Tcl_Token)) #define TCL_MIN_TOKEN_GROWTH 50 #define TclGrowTokenArray(tokenPtr, used, available, append, staticPtr) \ { \ int needed = (used) + (append); \ + if (needed > TCL_MAX_TOKENS) { \ + Tcl_Panic("max # of tokens for a Tcl parse (%d) exceeded", \ + TCL_MAX_TOKENS); \ + } \ if (needed > (available)) { \ int allocated = 2 * needed; \ Tcl_Token *oldPtr = (tokenPtr); \ @@ -3618,10 +3623,16 @@ MODULE_SCOPE void TclDbInitNewObj(Tcl_Obj *objPtr); if (oldPtr == (staticPtr)) { \ oldPtr = NULL; \ } \ + if (allocated > TCL_MAX_TOKENS) { \ + allocated = TCL_MAX_TOKENS; \ + } \ newPtr = (Tcl_Token *) attemptckrealloc( (char *) oldPtr, \ (unsigned int) (allocated * sizeof(Tcl_Token))); \ if (newPtr == NULL) { \ allocated = needed + (append) + TCL_MIN_TOKEN_GROWTH; \ + if (allocated > TCL_MAX_TOKENS) { \ + allocated = TCL_MAX_TOKENS; \ + } \ newPtr = (Tcl_Token *) ckrealloc( (char *) oldPtr, \ (unsigned int) (allocated * sizeof(Tcl_Token))); \ } \ diff --git a/generic/tclThreadAlloc.c b/generic/tclThreadAlloc.c index 0850d66..e32ad84 100755 --- a/generic/tclThreadAlloc.c +++ b/generic/tclThreadAlloc.c @@ -11,7 +11,7 @@ * See the file "license.terms" for information on usage and redistribution of * this file, and for a DISCLAIMER OF ALL WARRANTIES. * - * RCS: @(#) $Id: tclThreadAlloc.c,v 1.27 2008/03/20 09:49:16 dkf Exp $ + * RCS: @(#) $Id: tclThreadAlloc.c,v 1.27.2.1 2009/09/29 04:43:59 dgp Exp $ */ #include "tclInt.h" @@ -288,11 +288,23 @@ char * TclpAlloc( unsigned int reqSize) { - Cache *cachePtr = TclpGetAllocCache(); + Cache *cachePtr; Block *blockPtr; register int bucket; size_t size; + if (sizeof(int) >= sizeof(size_t)) { + /* An unsigned int overflow can also be a size_t overflow */ + const size_t zero = 0; + const size_t max = ~zero; + + if (((size_t) reqSize) > max - sizeof(Block) - RCHECK) { + /* Requested allocation exceeds memory */ + return NULL; + } + } + + cachePtr = TclpGetAllocCache(); if (cachePtr == NULL) { cachePtr = GetCache(); } @@ -414,7 +426,7 @@ TclpRealloc( char *ptr, unsigned int reqSize) { - Cache *cachePtr = TclpGetAllocCache(); + Cache *cachePtr; Block *blockPtr; void *newPtr; size_t size, min; @@ -424,6 +436,18 @@ TclpRealloc( return TclpAlloc(reqSize); } + if (sizeof(int) >= sizeof(size_t)) { + /* An unsigned int overflow can also be a size_t overflow */ + const size_t zero = 0; + const size_t max = ~zero; + + if (((size_t) reqSize) > max - sizeof(Block) - RCHECK) { + /* Requested allocation exceeds memory */ + return NULL; + } + } + + cachePtr = TclpGetAllocCache(); if (cachePtr == NULL) { cachePtr = GetCache(); } -- cgit v0.12