From c664b11f1bbac55099085e6d49731f0c023bb7d6 Mon Sep 17 00:00:00 2001 From: dgp Date: Thu, 27 Aug 2009 19:34:24 +0000 Subject: * generic/tclStringObj.c: A few more string overflow cases in [format]. [Bug 2845535] --- ChangeLog | 5 +++++ generic/tclStringObj.c | 16 +++++++++++++--- 2 files changed, 18 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 2b3e396..17e91fb 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +2009-08-27 Don Porter + + * generic/tclStringObj.c: A few more string overflow cases in + [format]. [Bug 2845535] + 2009-08-25 Andreas Kupries * generic/tclBasic.c (Tcl_CreateInterp, Tcl_EvalTokensStandard, diff --git a/generic/tclStringObj.c b/generic/tclStringObj.c index 9ba62f5..8b33fe1 100644 --- a/generic/tclStringObj.c +++ b/generic/tclStringObj.c @@ -33,7 +33,7 @@ * See the file "license.terms" for information on usage and redistribution of * this file, and for a DISCLAIMER OF ALL WARRANTIES. * - * RCS: @(#) $Id: tclStringObj.c,v 1.128 2009/07/31 16:55:58 dgp Exp $ */ + * RCS: @(#) $Id: tclStringObj.c,v 1.129 2009/08/27 19:34:24 dgp Exp $ */ #include "tclInt.h" #include "tommath.h" @@ -2218,6 +2218,10 @@ Tcl_AppendFormatToObj( if (gotPrecision) { *p++ = '.'; p += sprintf(p, "%d", precision); + if (precision > INT_MAX - length) { + msg=overflow; + goto errorMsg; + } length += precision; } @@ -2230,9 +2234,15 @@ Tcl_AppendFormatToObj( segment = Tcl_NewObj(); allocSegment = 1; - Tcl_SetObjLength(segment, length); + if (!Tcl_AttemptSetObjLength(segment, length)) { + msg = overflow; + goto errorMsg; + } bytes = TclGetString(segment); - Tcl_SetObjLength(segment, sprintf(bytes, spec, d)); + if (!Tcl_AttemptSetObjLength(segment, sprintf(bytes, spec, d))) { + msg = overflow; + goto errorMsg; + } break; } default: -- cgit v0.12