From 2a48cc8339e254c85a4879e73946dc2b8e73593f Mon Sep 17 00:00:00 2001 From: dkf Date: Thu, 25 Aug 2005 21:48:41 +0000 Subject: Better to panic sanely than to crash with a bad memory access. [Bug 1267380] --- ChangeLog | 4 ++++ generic/tclListObj.c | 8 +++++++- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 6fc4686..75724ca 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,9 @@ 2005-08-25 Donal K. Fellows + * generic/tclListObj.c (UpdateStringOfList): Stop uncontrolled and + unsafe crashes from happening when working with very large string + representations. [Bug 1267380] + * generic/tclExecute.c (TEBC:INST_DICT_LAPPEND): Stop dropping a duplicated object on the floor, which was a memory leak (and a wrong result too). Thanks to Andreas Kupries for reporting this. diff --git a/generic/tclListObj.c b/generic/tclListObj.c index 7aaa8e0..1279a05 100644 --- a/generic/tclListObj.c +++ b/generic/tclListObj.c @@ -10,7 +10,7 @@ * See the file "license.terms" for information on usage and redistribution of * this file, and for a DISCLAIMER OF ALL WARRANTIES. * - * RCS: @(#) $Id: tclListObj.c,v 1.24 2005/07/19 00:09:07 dkf Exp $ + * RCS: @(#) $Id: tclListObj.c,v 1.25 2005/08/25 21:48:41 dkf Exp $ */ #include "tclInt.h" @@ -1613,6 +1613,12 @@ UpdateStringOfList(listPtr) elem = Tcl_GetStringFromObj(elemPtrs[i], &length); listPtr->length += Tcl_ScanCountedElement(elem, length, &flagPtr[i]) + 1; + /* + * Check for continued sanity. [Bug 1267380] + */ + if (listPtr->length < 1) { + Tcl_Panic("string representation size exceeds sane bounds"); + } } /* -- cgit v0.12