From 43b5729ddf6c0793a6f6bb7c35dd30f4ea9ece17 Mon Sep 17 00:00:00 2001 From: apnadkarni Date: Tue, 2 May 2023 16:08:30 +0000 Subject: Fix [784befb0ba] - tailcall crash --- generic/tclCompCmdsSZ.c | 2 +- tests/tailcall.test | 7 +++++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/generic/tclCompCmdsSZ.c b/generic/tclCompCmdsSZ.c index 383abc2..355c741 100644 --- a/generic/tclCompCmdsSZ.c +++ b/generic/tclCompCmdsSZ.c @@ -2618,7 +2618,7 @@ TclCompileTailcallCmd( Tcl_Token *tokenPtr = parsePtr->tokenPtr; int i; - if (parsePtr->numWords < 2 || parsePtr->numWords > 256 + if (parsePtr->numWords < 2 || parsePtr->numWords >= 256 || envPtr->procPtr == NULL) { return TCL_ERROR; } diff --git a/tests/tailcall.test b/tests/tailcall.test index 3704333..35a7268 100644 --- a/tests/tailcall.test +++ b/tests/tailcall.test @@ -708,6 +708,13 @@ test tailcall-14.1-bc {{in a deleted namespace} {byte compiled}} -body { } } -returnCodes 1 -result {namespace "::ns" not found} +test tailcall-bug-784befb0ba {tailcall crash with 254 args} -body { + proc tccrash args {llength $args} + # Must be EXACTLY 254 for crash + proc p {} [list tailcall tccrash {*}[lrepeat 254 x]] + p +} -result 254 + # cleanup ::tcltest::cleanupTests -- cgit v0.12 From df75b9195608f60545ced2c165c87ad65288c66d Mon Sep 17 00:00:00 2001 From: apnadkarni Date: Tue, 2 May 2023 16:33:39 +0000 Subject: Fix [ab123cfd3d] - scan ubsan. Tx chrstphrchvz for patch --- generic/tclScan.c | 15 +++++++++------ tests/scan.test | 5 +++++ 2 files changed, 14 insertions(+), 6 deletions(-) diff --git a/generic/tclScan.c b/generic/tclScan.c index f37f596..ba3d90f 100644 --- a/generic/tclScan.c +++ b/generic/tclScan.c @@ -305,7 +305,7 @@ ValidateFormat( * format string. */ - value = strtoul(format-1, &end, 10); /* INTL: "C" locale. */ + unsigned long ul = strtoul(format-1, &end, 10); /* INTL: "C" locale. */ if (*end != '$') { goto notXpg; } @@ -315,17 +315,20 @@ ValidateFormat( if (gotSequential) { goto mixedXPG; } - objIndex = value - 1; - if ((objIndex < 0) || (numVars && (objIndex >= numVars))) { + if (ul == 0 || ul >= INT_MAX) { + goto badIndex; + } + objIndex = (int) ul - 1; + if (numVars && (objIndex >= numVars)) { goto badIndex; } else if (numVars == 0) { /* * In the case where no vars are specified, the user can * specify %9999$ legally, so we have to consider special - * rules for growing the assign array. 'value' is guaranteed - * to be > 0. + * rules for growing the assign array. 'ul' is guaranteed + * to be > 0 and < INT_MAX as per checks above. */ - xpgSize = (xpgSize > value) ? xpgSize : value; + xpgSize = (xpgSize > (int)ul) ? xpgSize : (int)ul; } goto xpgCheckDone; } diff --git a/tests/scan.test b/tests/scan.test index 300335e..cd2ba63 100644 --- a/tests/scan.test +++ b/tests/scan.test @@ -852,6 +852,11 @@ test scan-13.8 {Tcl_ScanObjCmd, inline XPG case lots of arguments} { set msg [scan "10 20 30" {%100$d %5$d %200$d}] list [llength $msg] [lindex $msg 99] [lindex $msg 4] [lindex $msg 199] } {200 10 20 30} +test scan-13.9 {Tcl_ScanObjCmd, inline XPG case limit error} -body { + # Note this applies to 64-bit builds as well so long as max number of + # command line arguments allowed for scan command is INT_MAX + scan abc {%2147483648$s} +} -result {"%n$" argument index out of range} -returnCodes error # scan infinities - not working -- cgit v0.12