From 49dfd861199470b98849897f9d94ad4691438d4e Mon Sep 17 00:00:00 2001
From: dgp <dgp@users.sourceforge.net>
Date: Wed, 4 Feb 2009 18:15:47 +0000
Subject:         * generic/tclCmdMZ.c:   Prevent crashes due to int overflow
 of the         length of the result of [string repeat].  [Bug 2561746]

---
 ChangeLog          |  5 +++++
 generic/tclCmdMZ.c | 25 ++++++++++++++-----------
 2 files changed, 19 insertions(+), 11 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 56a77f9..cc51b8d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2009-02-04  Don Porter  <dgp@users.sourceforge.net>
+
+	* generic/tclCmdMZ.c:	Prevent crashes due to int overflow of the
+	length of the result of [string repeat].  [Bug 2561746]
+
 2009-02-03  Jan Nijtmans  <nijtmans@users.sf.net>
 
 	* macosx/tclMacOSXFCmd.c - eliminate some unnessary type casts
diff --git a/generic/tclCmdMZ.c b/generic/tclCmdMZ.c
index 22de674..b0c90a4 100644
--- a/generic/tclCmdMZ.c
+++ b/generic/tclCmdMZ.c
@@ -15,7 +15,7 @@
  * See the file "license.terms" for information on usage and redistribution of
  * this file, and for a DISCLAIMER OF ALL WARRANTIES.
  *
- * RCS: @(#) $Id: tclCmdMZ.c,v 1.177 2009/02/03 23:34:32 nijtmans Exp $
+ * RCS: @(#) $Id: tclCmdMZ.c,v 1.178 2009/02/04 18:15:48 dgp Exp $
  */
 
 #include "tclInt.h"
@@ -2155,22 +2155,25 @@ StringReptCmd(
     /*
      * Only build up a string that has data. Instead of building it up with
      * repeated appends, we just allocate the necessary space once and copy
-     * the string value in. Check for overflow with back-division. [Bug
-     * #714106]
+     * the string value in.
+     *
+     * We have to worry about overflow [Bugs 714106, 2561746].
+     * At this point we know 1 <= length1 <= INT_MAX and 2 <= count <= INT_MAX.
+     * We need to keep 2 <= length2 <= INT_MAX.
      */
 
-    length2 = length1 * count + 1;
-    if ((length2-1) / count != length1) {
+    if (count > (INT_MAX / length1)) {
 	Tcl_SetObjResult(interp, Tcl_ObjPrintf(
-		"string size overflow, must be less than %d", INT_MAX));
+		"max size for a Tcl value (%d bytes) exceeded", INT_MAX));
 	return TCL_ERROR;
     }
+    length2 = length1 * count;
 
     /*
      * Include space for the NUL.
      */
 
-    string2 = attemptckalloc((size_t) length2);
+    string2 = attemptckalloc((unsigned) length2 + 1);
     if (string2 == NULL) {
 	/*
 	 * Alloc failed. Note that in this case we try to do an error message
@@ -2180,14 +2183,14 @@ StringReptCmd(
 	 */
 
 	Tcl_SetObjResult(interp, Tcl_ObjPrintf(
-		"string size overflow, out of memory allocating %d bytes",
-		length2));
+		"string size overflow, out of memory allocating %u bytes",
+		length2 + 1));
 	return TCL_ERROR;
     }
     for (index = 0; index < count; index++) {
 	memcpy(string2 + (length1 * index), string1, (size_t) length1);
     }
-    string2[length2-1] = '\0';
+    string2[length2] = '\0';
 
     /*
      * We have to directly assign this instead of using Tcl_SetStringObj (and
@@ -2197,7 +2200,7 @@ StringReptCmd(
 
     TclNewObj(resultPtr);
     resultPtr->bytes = string2;
-    resultPtr->length = length2-1;
+    resultPtr->length = length2;
     Tcl_SetObjResult(interp, resultPtr);
 
   done:
-- 
cgit v0.12