From 6559f4084e844e187198c5471bfd15f19c8dfecc Mon Sep 17 00:00:00 2001 From: apnadkarni Date: Thu, 3 Nov 2022 12:26:41 +0000 Subject: Bug [0f98bce669]. Fix limits for string replace. --- generic/tclCmdMZ.c | 3 +++ generic/tclInt.h | 3 ++- generic/tclStringObj.c | 8 ++++---- 3 files changed, 9 insertions(+), 5 deletions(-) diff --git a/generic/tclCmdMZ.c b/generic/tclCmdMZ.c index 83e5647..f94d914 100644 --- a/generic/tclCmdMZ.c +++ b/generic/tclCmdMZ.c @@ -2437,6 +2437,9 @@ StringRplcCmd( last + 1 - first, (objc == 5) ? objv[4] : NULL, TCL_STRING_IN_PLACE); + if (resultPtr == NULL) { + return TCL_ERROR; + } Tcl_SetObjResult(interp, resultPtr); } return TCL_OK; diff --git a/generic/tclInt.h b/generic/tclInt.h index 39ddef2..a17ce7d 100644 --- a/generic/tclInt.h +++ b/generic/tclInt.h @@ -105,7 +105,8 @@ #endif /* - * Maximum *signed* value that can be stored in a Tcl_Size type. + * Maximum *signed* value that can be stored in a Tcl_Size type. This is + * primarily used for checking overflows in dynamically allocating memory. */ #define TCL_SIZE_SMAX ((((Tcl_Size) 1) << ((8*sizeof(Tcl_Size)) - 1)) - 1) diff --git a/generic/tclStringObj.c b/generic/tclStringObj.c index f8b795e..7c0d626 100644 --- a/generic/tclStringObj.c +++ b/generic/tclStringObj.c @@ -4100,11 +4100,11 @@ TclStringReplace( return objPtr; } - if ((size_t)newBytes > INT_MAX - (numBytes - count)) { + if (newBytes > (TCL_SIZE_SMAX - (numBytes - count))) { if (interp) { Tcl_SetObjResult(interp, Tcl_ObjPrintf( - "max size for a Tcl value (%d bytes) exceeded", - INT_MAX)); + "max size for a Tcl value (%" TCL_Z_MODIFIER "u bytes) exceeded", + TCL_SIZE_SMAX)); Tcl_SetErrorCode(interp, "TCL", "MEMORY", NULL); } return NULL; @@ -4139,7 +4139,7 @@ TclStringReplace( if (insertPtr) { Tcl_AppendObjToObj(result, insertPtr); } - if (first + count < (size_t)numChars) { + if ((first + count) < numChars) { Tcl_AppendUnicodeToObj(result, ustring + first + count, numChars - first - count); } -- cgit v0.12