From fc29863f3fe1e359b0a7727e0b8a46d7b5cef69e Mon Sep 17 00:00:00 2001
From: dgp <dgp@users.sourceforge.net>
Date: Fri, 30 Apr 2010 20:52:51 +0000
Subject:         * generic/tclBinary.c (TclAppendBytesToByteArray):      Add
 comments         * generic/tclInt.h (TclAppendBytesToByteArray): placing
 overflow         protection responsibility on caller.  Convert "len" argument
 to signed         int which any value already vetted for overflow issues will
 fit into.         * generic/tclStringObj.c:       Update caller; standardize
 panic msg.

        * generic/tclBinary.c (UpdateStringOfByteArray):        Add panic
        when the generated string representation would grow beyond Tcl's
        size limits.  [Bug 2994924]
---
 ChangeLog              | 12 ++++++++++++
 generic/tclBinary.c    | 15 ++++++++++-----
 generic/tclInt.h       |  4 ++--
 generic/tclStringObj.c |  6 +++---
 4 files changed, 27 insertions(+), 10 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 9e418d5..8041e6e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,15 @@
+2010-04-30  Don Porter  <dgp@users.sourceforge.net>
+
+	* generic/tclBinary.c (TclAppendBytesToByteArray):	Add comments
+	* generic/tclInt.h (TclAppendBytesToByteArray):	placing overflow
+	protection responsibility on caller.  Convert "len" argument to signed
+	int which any value already vetted for overflow issues will fit into.
+	* generic/tclStringObj.c:	Update caller; standardize panic msg. 
+
+	* generic/tclBinary.c (UpdateStringOfByteArray):	Add panic
+	when the generated string representation would grow beyond Tcl's
+	size limits.  [Bug 2994924]
+
 2010-04-30  Donal K. Fellows  <dkf@users.sf.net>
 
 	* generic/tclBinary.c (TclAppendBytesToByteArray): Add extra armour
diff --git a/generic/tclBinary.c b/generic/tclBinary.c
index b74be98..3264a70 100644
--- a/generic/tclBinary.c
+++ b/generic/tclBinary.c
@@ -10,7 +10,7 @@
  * See the file "license.terms" for information on usage and redistribution of
  * this file, and for a DISCLAIMER OF ALL WARRANTIES.
  *
- * RCS: @(#) $Id: tclBinary.c,v 1.63 2010/04/30 14:06:41 dkf Exp $
+ * RCS: @(#) $Id: tclBinary.c,v 1.64 2010/04/30 20:52:51 dgp Exp $
  */
 
 #include "tclInt.h"
@@ -553,11 +553,14 @@ UpdateStringOfByteArray(
      */
 
     size = length;
-    for (i = 0; i < length; i++) {
+    for (i = 0; i < length && size >= 0; i++) {
 	if ((src[i] == 0) || (src[i] > 127)) {
 	    size++;
 	}
     }
+    if (size < 0) {
+	Tcl_Panic("max size for a Tcl value (%d bytes) exceeded", INT_MAX);
+    }
 
     dst = (char *) ckalloc((unsigned) (size + 1));
     objPtr->bytes = dst;
@@ -581,7 +584,9 @@ UpdateStringOfByteArray(
  *
  *	This function appends an array of bytes to a byte array object. Note
  *	that the object *must* be unshared, and the array of bytes *must not*
- *	refer to the object being appended to.
+ *	refer to the object being appended to.  Also the caller must have
+ *	already checked that the final length of the bytearray after the
+ *	append operations is complete will not overflow the int range.
  *
  * Results:
  *	None.
@@ -597,7 +602,7 @@ void
 TclAppendBytesToByteArray(
     Tcl_Obj *objPtr,
     const unsigned char *bytes,
-    unsigned len)
+    int len)
 {
     ByteArray *byteArrayPtr;
 
@@ -613,7 +618,7 @@ TclAppendBytesToByteArray(
      * If we need to, resize the allocated space in the byte array.
      */
 
-    if (byteArrayPtr->used + (int)len > byteArrayPtr->allocated) {
+    if (byteArrayPtr->used + len > byteArrayPtr->allocated) {
 	unsigned int attempt, used = byteArrayPtr->used;
 	ByteArray *tmpByteArrayPtr = NULL;
 
diff --git a/generic/tclInt.h b/generic/tclInt.h
index 9c5ec7f..5e37a56 100644
--- a/generic/tclInt.h
+++ b/generic/tclInt.h
@@ -15,7 +15,7 @@
  * See the file "license.terms" for information on usage and redistribution of
  * this file, and for a DISCLAIMER OF ALL WARRANTIES.
  *
- * RCS: @(#) $Id: tclInt.h,v 1.474 2010/04/29 15:08:06 dkf Exp $
+ * RCS: @(#) $Id: tclInt.h,v 1.475 2010/04/30 20:52:51 dgp Exp $
  */
 
 #ifndef _TCLINT
@@ -2802,7 +2802,7 @@ struct Tcl_LoadHandle_ {
  */
 
 MODULE_SCOPE void	TclAppendBytesToByteArray(Tcl_Obj *objPtr,
-			    const unsigned char *bytes, unsigned len);
+			    const unsigned char *bytes, int len);
 MODULE_SCOPE int	TclNREvalCmd(Tcl_Interp *interp, Tcl_Obj *objPtr,
 			    int flags);
 MODULE_SCOPE void	TclPushTailcallPoint(Tcl_Interp *interp);
diff --git a/generic/tclStringObj.c b/generic/tclStringObj.c
index e91b8a4..9e2e3aa 100644
--- a/generic/tclStringObj.c
+++ b/generic/tclStringObj.c
@@ -33,7 +33,7 @@
  * See the file "license.terms" for information on usage and redistribution of
  * this file, and for a DISCLAIMER OF ALL WARRANTIES.
  *
- * RCS: @(#) $Id: tclStringObj.c,v 1.136 2010/04/29 15:08:07 dkf Exp $ */
+ * RCS: @(#) $Id: tclStringObj.c,v 1.137 2010/04/30 20:52:51 dgp Exp $ */
 
 #include "tclInt.h"
 #include "tommath.h"
@@ -1248,10 +1248,10 @@ Tcl_AppendObjToObj(
 	(void) Tcl_GetByteArrayFromObj(appendObjPtr, &lengthSrc);
 	lengthTotal = length + lengthSrc;
 	if (((length > lengthSrc) ? length : lengthSrc) > lengthTotal) {
-	    Tcl_Panic("overflow when calculating byte array size");
+	    Tcl_Panic("max size for a Tcl value (%d bytes) exceeded", INT_MAX);
 	}
 	bytesSrc = Tcl_GetByteArrayFromObj(appendObjPtr, NULL);
-	TclAppendBytesToByteArray(objPtr, bytesSrc, (unsigned) lengthSrc);
+	TclAppendBytesToByteArray(objPtr, bytesSrc, lengthSrc);
 	return;
     }
 
-- 
cgit v0.12