From ab808831bd7d76198dfc874049b9fd00b009646e Mon Sep 17 00:00:00 2001
From: dgp <dgp@users.sourceforge.net>
Date: Fri, 5 May 2017 17:12:52 +0000
Subject: [6015221f59] Segfault after overflow of [binary] field specifier
 numeric count.

---
 generic/tclBinary.c | 10 +++++++++-
 tests/binary.test   | 12 ++++++++++++
 2 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/generic/tclBinary.c b/generic/tclBinary.c
index 68289f2..cbe4970 100644
--- a/generic/tclBinary.c
+++ b/generic/tclBinary.c
@@ -1528,7 +1528,15 @@ GetFormatSpec(
 	(*formatPtr)++;
 	(*countPtr) = BINARY_ALL;
     } else if (isdigit(UCHAR(**formatPtr))) { /* INTL: digit */
-	(*countPtr) = strtoul(*formatPtr, formatPtr, 10);
+	unsigned long int count;
+
+	errno = 0;
+	count = strtoul(*formatPtr, formatPtr, 10);
+	if (errno || (count > (unsigned long) INT_MAX)) {
+	    (*countPtr) = INT_MAX;
+	} else {
+	    (*countPtr) = (int) count;
+	}
     } else {
 	(*countPtr) = BINARY_NOCOUNT;
     }
diff --git a/tests/binary.test b/tests/binary.test
index e43b9f4..20aa7d3 100644
--- a/tests/binary.test
+++ b/tests/binary.test
@@ -1420,6 +1420,18 @@ test binary-37.9 {GetFormatSpec: numbers} {
     binary scan $x f* bla
     set bla
 } {1.0 -1.0 2.0 -2.0 0.0}
+test binary-37.10 {GetFormatSpec: count overflow} {
+    binary scan x a[format %ld 0x7fffffff] r
+} 0
+test binary-37.11 {GetFormatSpec: count overflow} {
+    binary scan x a[format %ld 0x10000000] r
+} 0
+test binary-37.12 {GetFormatSpec: count overflow} {
+    binary scan x a[format %ld 0x100000000] r
+} 0
+test binary-37.13 {GetFormatSpec: count overflow} {
+    binary scan x a[format %lld 0x10000000000000000] r
+} 0
 
 test binary-38.1 {FormatNumber: word alignment} {
     set x [binary format c1s1 1 1]
-- 
cgit v0.12