From 1d9466df83ad7999d5e606e39121eb3dd68b737f Mon Sep 17 00:00:00 2001
From: dgp <dgp@users.sourceforge.net>
Date: Tue, 29 Sep 2009 05:03:46 +0000
Subject:         * generic/tclAlloc.c:           Cleaned up various routines
 in the         * generic/tclCkalloc.c:         call stacks for memory
 allocation to         * generic/tclInt.h:             guarantee that any size
 values computed         * generic/tclThreadAlloc.c:     are within the
 domains of the routines         they get passed to.  [Bugs 2557696 and
 2557796].

---
 ChangeLog                |  8 ++++++++
 generic/tclAlloc.c       | 12 +++++++-----
 generic/tclCkalloc.c     | 30 ++++++++++++++++++------------
 generic/tclInt.h         | 17 ++++++++++++++---
 generic/tclThreadAlloc.c | 30 +++++++++++++++++++++++++++---
 5 files changed, 74 insertions(+), 23 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index c0b5b3d..5fcf4a7 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2009-09-29  Don Porter  <dgp@users.sourceforge.net>
+
+	* generic/tclAlloc.c:           Cleaned up various routines in the
+	* generic/tclCkalloc.c:         call stacks for memory allocation to
+	* generic/tclInt.h:             guarantee that any size values computed
+	* generic/tclThreadAlloc.c:     are within the domains of the routines
+	they get passed to.  [Bugs 2557696 and 2557796].
+
 2009-09-28  Don Porter  <dgp@users.sourceforge.net>
 
 	* generic/tclCmdMZ.c:	Replaced TclProcessReturn() calls with
diff --git a/generic/tclAlloc.c b/generic/tclAlloc.c
index de21c7c..04627a6 100644
--- a/generic/tclAlloc.c
+++ b/generic/tclAlloc.c
@@ -15,7 +15,7 @@
  * See the file "license.terms" for information on usage and redistribution of
  * this file, and for a DISCLAIMER OF ALL WARRANTIES.
  *
- * RCS: @(#) $Id: tclAlloc.c,v 1.27 2007/12/17 15:28:27 msofer Exp $
+ * RCS: @(#) $Id: tclAlloc.c,v 1.28 2009/09/29 05:03:46 dgp Exp $
  */
 
 /*
@@ -265,7 +265,7 @@ TclpAlloc(
     register union overhead *overPtr;
     register long bucket;
     register unsigned amount;
-    struct block *bigBlockPtr;
+    struct block *bigBlockPtr = NULL;
 
     if (!allocInit) {
 	/*
@@ -281,9 +281,11 @@ TclpAlloc(
      * First the simple case: we simple allocate big blocks directly.
      */
 
-    if (numBytes + OVERHEAD >= MAXMALLOC) {
-	bigBlockPtr = (struct block *) TclpSysAlloc((unsigned)
-		(sizeof(struct block) + OVERHEAD + numBytes), 0);
+    if (numBytes >= MAXMALLOC - OVERHEAD) {
+	if (numBytes <= UINT_MAX - OVERHEAD -sizeof(struct block)) {
+	    bigBlockPtr = (struct block *) TclpSysAlloc((unsigned)
+		    (sizeof(struct block) + OVERHEAD + numBytes), 0);
+	}
 	if (bigBlockPtr == NULL) {
 	    Tcl_MutexUnlock(allocMutexPtr);
 	    return NULL;
diff --git a/generic/tclCkalloc.c b/generic/tclCkalloc.c
index 9a3b4e3..9d9343f 100644
--- a/generic/tclCkalloc.c
+++ b/generic/tclCkalloc.c
@@ -14,7 +14,7 @@
  *
  * This code contributed by Karl Lehenbauer and Mark Diekhans
  *
- * RCS: @(#) $Id: tclCkalloc.c,v 1.36 2009/06/18 09:41:26 dkf Exp $
+ * RCS: @(#) $Id: tclCkalloc.c,v 1.37 2009/09/29 05:03:46 dgp Exp $
  */
 
 #include "tclInt.h"
@@ -87,8 +87,8 @@ static struct mem_header *allocHead = NULL;  /* List of allocated structures */
 
 static int total_mallocs = 0;
 static int total_frees = 0;
-static int current_bytes_malloced = 0;
-static int maximum_bytes_malloced = 0;
+static size_t current_bytes_malloced = 0;
+static size_t maximum_bytes_malloced = 0;
 static int current_malloc_packets = 0;
 static int maximum_malloc_packets = 0;
 static int break_on_malloc = 0;
@@ -175,11 +175,11 @@ TclDumpMemoryInfo(
 	    total_frees);
     fprintf(outFile,"current packets allocated %10d\n",
 	    current_malloc_packets);
-    fprintf(outFile,"current bytes allocated   %10d\n",
+    fprintf(outFile,"current bytes allocated   %10lu\n",
 	    current_bytes_malloced);
     fprintf(outFile,"maximum packets allocated %10d\n",
 	    maximum_malloc_packets);
-    fprintf(outFile,"maximum bytes allocated   %10d\n",
+    fprintf(outFile,"maximum bytes allocated   %10lu\n",
 	    maximum_bytes_malloced);
 }
 
@@ -376,14 +376,17 @@ Tcl_DbCkalloc(
     const char *file,
     int line)
 {
-    struct mem_header *result;
+    struct mem_header *result = NULL;
 
     if (validate_memory) {
 	Tcl_ValidateAllMemory(file, line);
     }
 
-    result = (struct mem_header *) TclpAlloc((unsigned)size +
-	    sizeof(struct mem_header) + HIGH_GUARD_SIZE);
+    /* Don't let size argument to TclpAlloc overflow */
+    if (size <= UINT_MAX - HIGH_GUARD_SIZE -sizeof(struct mem_header)) {
+	result = (struct mem_header *) TclpAlloc((unsigned)size +
+		sizeof(struct mem_header) + HIGH_GUARD_SIZE);
+    }
     if (result == NULL) {
 	fflush(stdout);
 	TclDumpMemoryInfo(stderr);
@@ -467,14 +470,17 @@ Tcl_AttemptDbCkalloc(
     const char *file,
     int line)
 {
-    struct mem_header *result;
+    struct mem_header *result = NULL;
 
     if (validate_memory) {
 	Tcl_ValidateAllMemory(file, line);
     }
 
-    result = (struct mem_header *) TclpAlloc((unsigned)size +
-	    sizeof(struct mem_header) + HIGH_GUARD_SIZE);
+    /* Don't let size argument to TclpAlloc overflow */
+    if (size <= UINT_MAX - HIGH_GUARD_SIZE - sizeof(struct mem_header)) {
+	result = (struct mem_header *) TclpAlloc((unsigned)size +
+		sizeof(struct mem_header) + HIGH_GUARD_SIZE);
+    }
     if (result == NULL) {
 	fflush(stdout);
 	TclDumpMemoryInfo(stderr);
@@ -842,7 +848,7 @@ MemoryCmd(
     }
     if (strcmp(argv[1],"info") == 0) {
 	Tcl_SetObjResult(interp, Tcl_ObjPrintf(
-		"%-25s %10d\n%-25s %10d\n%-25s %10d\n%-25s %10d\n%-25s %10d\n%-25s %10d\n",
+		"%-25s %10d\n%-25s %10d\n%-25s %10d\n%-25s %10lu\n%-25s %10d\n%-25s %10lu\n",
 		"total mallocs", total_mallocs, "total frees", total_frees,
 		"current packets allocated", current_malloc_packets,
 		"current bytes allocated", current_bytes_malloced,
diff --git a/generic/tclInt.h b/generic/tclInt.h
index d34be28..1d1851e 100644
--- a/generic/tclInt.h
+++ b/generic/tclInt.h
@@ -15,7 +15,7 @@
  * See the file "license.terms" for information on usage and redistribution of
  * this file, and for a DISCLAIMER OF ALL WARRANTIES.
  *
- * RCS: @(#) $Id: tclInt.h,v 1.443 2009/09/24 17:19:18 dgp Exp $
+ * RCS: @(#) $Id: tclInt.h,v 1.444 2009/09/29 05:03:46 dgp Exp $
  */
 
 #ifndef _TCLINT
@@ -3875,10 +3875,15 @@ MODULE_SCOPE void	TclDbInitNewObj(Tcl_Obj *objPtr, const char *file,
  *----------------------------------------------------------------
  */
 
+#define TCL_MAX_TOKENS (int)(UINT_MAX / sizeof(Tcl_Token))
 #define TCL_MIN_TOKEN_GROWTH 50
 #define TclGrowTokenArray(tokenPtr, used, available, append, staticPtr)	\
 {									\
     int needed = (used) + (append);					\
+    if (needed > TCL_MAX_TOKENS) {					\
+	Tcl_Panic("max # of tokens for a Tcl parse (%d) exceeded",	\
+		TCL_MAX_TOKENS);					\
+    }									\
     if (needed > (available)) {						\
 	int allocated = 2 * needed;					\
 	Tcl_Token *oldPtr = (tokenPtr);					\
@@ -3886,12 +3891,18 @@ MODULE_SCOPE void	TclDbInitNewObj(Tcl_Obj *objPtr, const char *file,
 	if (oldPtr == (staticPtr)) {					\
 	    oldPtr = NULL;						\
 	}								\
+	if (allocated > TCL_MAX_TOKENS) {				\
+	    allocated = TCL_MAX_TOKENS;					\
+	}								\
 	newPtr = (Tcl_Token *) attemptckrealloc((char *) oldPtr,	\
-		(unsigned) (allocated * sizeof(Tcl_Token)));	\
+		(unsigned int) (allocated * sizeof(Tcl_Token)));	\
 	if (newPtr == NULL) {						\
 	    allocated = needed + (append) + TCL_MIN_TOKEN_GROWTH;	\
+	    if (allocated > TCL_MAX_TOKENS) {				\
+		allocated = TCL_MAX_TOKENS;				\
+	    }								\
 	    newPtr = (Tcl_Token *) ckrealloc((char *) oldPtr,		\
-		    (unsigned) (allocated * sizeof(Tcl_Token)));	\
+		    (unsigned int) (allocated * sizeof(Tcl_Token)));	\
 	}								\
 	(available) = allocated;					\
 	if (oldPtr == NULL) {						\
diff --git a/generic/tclThreadAlloc.c b/generic/tclThreadAlloc.c
index ba30637..a47b0d8 100755
--- a/generic/tclThreadAlloc.c
+++ b/generic/tclThreadAlloc.c
@@ -11,7 +11,7 @@
  * See the file "license.terms" for information on usage and redistribution of
  * this file, and for a DISCLAIMER OF ALL WARRANTIES.
  *
- * RCS: @(#) $Id: tclThreadAlloc.c,v 1.29 2009/01/09 11:21:46 dkf Exp $
+ * RCS: @(#) $Id: tclThreadAlloc.c,v 1.30 2009/09/29 05:03:46 dgp Exp $
  */
 
 #include "tclInt.h"
@@ -292,11 +292,23 @@ char *
 TclpAlloc(
     unsigned int reqSize)
 {
-    Cache *cachePtr = TclpGetAllocCache();
+    Cache *cachePtr;
     Block *blockPtr;
     register int bucket;
     size_t size;
 
+    if (sizeof(int) >= sizeof(size_t)) {
+	/* An unsigned int overflow can also be a size_t overflow */
+	const size_t zero = 0;
+	const size_t max = ~zero;
+
+	if (((size_t) reqSize) > max - sizeof(Block) - RCHECK) {
+	    /* Requested allocation exceeds memory */
+	    return NULL;
+	}
+    }
+
+    cachePtr = TclpGetAllocCache();
     if (cachePtr == NULL) {
 	cachePtr = GetCache();
     }
@@ -418,7 +430,7 @@ TclpRealloc(
     char *ptr,
     unsigned int reqSize)
 {
-    Cache *cachePtr = TclpGetAllocCache();
+    Cache *cachePtr;
     Block *blockPtr;
     void *newPtr;
     size_t size, min;
@@ -428,6 +440,18 @@ TclpRealloc(
 	return TclpAlloc(reqSize);
     }
 
+    if (sizeof(int) >= sizeof(size_t)) {
+	/* An unsigned int overflow can also be a size_t overflow */
+	const size_t zero = 0;
+	const size_t max = ~zero;
+
+	if (((size_t) reqSize) > max - sizeof(Block) - RCHECK) {
+	    /* Requested allocation exceeds memory */
+	    return NULL;
+	}
+    }
+
+    cachePtr = TclpGetAllocCache();
     if (cachePtr == NULL) {
 	cachePtr = GetCache();
     }
-- 
cgit v0.12