From a8d345d8f8f69ab77a2110e5838f61475ec15c8f Mon Sep 17 00:00:00 2001 From: dgp Date: Fri, 20 Mar 2009 14:22:54 +0000 Subject: * generic/tclExecute.c (INST_CONCAT1): Panic when appends overflow the max length of a Tcl value. [Bug 2669109] --- ChangeLog | 5 +++++ generic/tclExecute.c | 10 ++++++++-- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index ce814b6..5fd15a7 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +2009-03-20 Don Porter + + * generic/tclExecute.c (INST_CONCAT1): Panic when appends overflow + the max length of a Tcl value. [Bug 2669109] + 2009-03-18 Don Porter * win/tclWinFile.c (TclpObjNormalizePath): Corrected Tcl_Obj leak. diff --git a/generic/tclExecute.c b/generic/tclExecute.c index 657ac80..065024c 100644 --- a/generic/tclExecute.c +++ b/generic/tclExecute.c @@ -11,7 +11,7 @@ * See the file "license.terms" for information on usage and redistribution * of this file, and for a DISCLAIMER OF ALL WARRANTIES. * - * RCS: @(#) $Id: tclExecute.c,v 1.94.2.27 2008/07/23 04:08:00 dgp Exp $ + * RCS: @(#) $Id: tclExecute.c,v 1.94.2.28 2009/03/20 14:22:54 dgp Exp $ */ #include "tclInt.h" @@ -1442,13 +1442,19 @@ TclExecuteByteCode(interp, codePtr) * First, determine how many characters are needed. */ - for (i = (stackTop - (opnd-1)); i <= stackTop; i++) { + for (i = (stackTop - (opnd-1)); + totalLen >= 0 && i <= stackTop; i++) { bytes = Tcl_GetStringFromObj(stackPtr[i], &length); if (bytes != NULL) { totalLen += length; } } + if (totalLen < 0) { + Tcl_Panic("max size for a Tcl value (%d bytes) exceeded", + INT_MAX); + } + /* * Initialize the new append string object by appending the * strings of the opnd stack objects. Also pop the objects. -- cgit v0.12