From 7e727bed70653d181a190d921ea951707ad4078a Mon Sep 17 00:00:00 2001
From: sebres <sebres@users.sourceforge.net>
Date: Thu, 26 Jul 2018 15:57:38 +0000
Subject: closes [d051b77fc18d7340]: fixed segfault by integer overflow (if
 width by format like "%4000000000g" overflows to negative values by scan of
 length)

---
 generic/tclStringObj.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/generic/tclStringObj.c b/generic/tclStringObj.c
index 996be77..462ef04 100644
--- a/generic/tclStringObj.c
+++ b/generic/tclStringObj.c
@@ -1938,6 +1938,10 @@ Tcl_AppendFormatToObj(
 	width = 0;
 	if (isdigit(UCHAR(ch))) {
 	    width = strtoul(format, &end, 10);
+	    if (width < 0) {
+		msg = overflow;
+		goto errorMsg;
+	    }
 	    format = end;
 	    step = Tcl_UtfToUniChar(format, &ch);
 	} else if (ch == '*') {
-- 
cgit v0.12


From c7cdc550c4e27c7ab0e3d4537cff99167b4509fd Mon Sep 17 00:00:00 2001
From: sebres <sebres@users.sourceforge.net>
Date: Thu, 26 Jul 2018 16:46:47 +0000
Subject: test cases added to cover width overflow by format (should cause
 limit exceeded)

---
 tests/format.test | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/tests/format.test b/tests/format.test
index d43b7eb..5797f2b 100644
--- a/tests/format.test
+++ b/tests/format.test
@@ -565,6 +565,20 @@ test format-19.3 {Bug 2830354} {
     string length [format %340f 0]
 } 340
 
+test format-19.4.1 {Bug d498578df4: width overflow should cause limit exceeded} \
+-constraints {longIs32bit} -body {
+    # in case of overflow into negative, it produces width -2 (and limit exceeded),
+    # in case of width will be unsigned, it will be outside limit (2GB for 32bit)...
+    # and it don't throw an error in case the bug is not fixed (and probably no segfault).
+    format %[expr {0xffffffff - 1}]g 0
+} -returnCodes error -result "max size for a Tcl value exceeded"
+
+test format-19.4.2 {Bug d498578df4: width overflow should cause limit exceeded} -body {
+    # limit should exceeds in any case,
+    # and it don't throw an error in case the bug is not fixed (and probably no segfault).
+    format %[expr {0xffffffffffffffff - 1}]g 0
+} -returnCodes error -result "max size for a Tcl value exceeded"
+
 # cleanup
 catch {unset a}
 catch {unset b}
-- 
cgit v0.12