From 772d2da10b02fc06220a92d5f9d4f33b752a9553 Mon Sep 17 00:00:00 2001 From: pooryorick Date: Sun, 22 Jul 2018 20:44:16 +0000 Subject: Fix for [ba921a8d98e02a96] - concatenating binary array with empty string yields the empty string. --- generic/tclStringObj.c | 20 +++++++++----------- 1 file changed, 9 insertions(+), 11 deletions(-) diff --git a/generic/tclStringObj.c b/generic/tclStringObj.c index 3bb6112..2cda2c4 100644 --- a/generic/tclStringObj.c +++ b/generic/tclStringObj.c @@ -3065,24 +3065,22 @@ TclStringCat( * Result will be pure byte array. Pre-size it */ + int numBytes; ov = objv; oc = objc; do { Tcl_Obj *objPtr = *ov++; - if (objPtr->bytes == NULL) { - int numBytes; + Tcl_GetByteArrayFromObj(objPtr, &numBytes); /* PANIC? */ - Tcl_GetByteArrayFromObj(objPtr, &numBytes); /* PANIC? */ - if (numBytes) { - last = objc - oc; - if (length == 0) { - first = last; - } else if (numBytes > INT_MAX - length) { - goto overflow; - } - length += numBytes; + if (numBytes) { + last = objc - oc; + if (length == 0) { + first = last; + } else if (numBytes > INT_MAX - length) { + goto overflow; } + length += numBytes; } } while (--oc); } else if (allowUniChar && requestUniChar) { -- cgit v0.12 From 164a7f04c03e56a310d9386fd8ddbd6319c0c788 Mon Sep 17 00:00:00 2001 From: dgp Date: Thu, 26 Jul 2018 15:51:28 +0000 Subject: New test for [Bug ba921a8d98]. --- tests/string.test | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tests/string.test b/tests/string.test index 868fc25..3f5fd81 100644 --- a/tests/string.test +++ b/tests/string.test @@ -2015,6 +2015,9 @@ test string-29.4 {string cat, many args} { list $r1 $r2 } {0 0} +test string-30.1 {[Bug ba921a8d98]} { + string cat [set data [binary format a* hello]] [encoding convertto $data] [unset data] +} hellohello # cleanup -- cgit v0.12 From 7e727bed70653d181a190d921ea951707ad4078a Mon Sep 17 00:00:00 2001 From: sebres Date: Thu, 26 Jul 2018 15:57:38 +0000 Subject: closes [d051b77fc18d7340]: fixed segfault by integer overflow (if width by format like "%4000000000g" overflows to negative values by scan of length) --- generic/tclStringObj.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/generic/tclStringObj.c b/generic/tclStringObj.c index 996be77..462ef04 100644 --- a/generic/tclStringObj.c +++ b/generic/tclStringObj.c @@ -1938,6 +1938,10 @@ Tcl_AppendFormatToObj( width = 0; if (isdigit(UCHAR(ch))) { width = strtoul(format, &end, 10); + if (width < 0) { + msg = overflow; + goto errorMsg; + } format = end; step = Tcl_UtfToUniChar(format, &ch); } else if (ch == '*') { -- cgit v0.12 From c7cdc550c4e27c7ab0e3d4537cff99167b4509fd Mon Sep 17 00:00:00 2001 From: sebres Date: Thu, 26 Jul 2018 16:46:47 +0000 Subject: test cases added to cover width overflow by format (should cause limit exceeded) --- tests/format.test | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/tests/format.test b/tests/format.test index d43b7eb..5797f2b 100644 --- a/tests/format.test +++ b/tests/format.test @@ -565,6 +565,20 @@ test format-19.3 {Bug 2830354} { string length [format %340f 0] } 340 +test format-19.4.1 {Bug d498578df4: width overflow should cause limit exceeded} \ +-constraints {longIs32bit} -body { + # in case of overflow into negative, it produces width -2 (and limit exceeded), + # in case of width will be unsigned, it will be outside limit (2GB for 32bit)... + # and it don't throw an error in case the bug is not fixed (and probably no segfault). + format %[expr {0xffffffff - 1}]g 0 +} -returnCodes error -result "max size for a Tcl value exceeded" + +test format-19.4.2 {Bug d498578df4: width overflow should cause limit exceeded} -body { + # limit should exceeds in any case, + # and it don't throw an error in case the bug is not fixed (and probably no segfault). + format %[expr {0xffffffffffffffff - 1}]g 0 +} -returnCodes error -result "max size for a Tcl value exceeded" + # cleanup catch {unset a} catch {unset b} -- cgit v0.12 From 2133e40e589348c5df1b721c1d0e0ac2f2385505 Mon Sep 17 00:00:00 2001 From: sebres Date: Thu, 26 Jul 2018 18:07:34 +0000 Subject: amend to [d498578df4], still one test for [Bug ba921a8d98] with inplace by subst inside string (compiled as "strcat" instruction) --- tests/string.test | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/tests/string.test b/tests/string.test index 3f5fd81..8fc5b0e 100644 --- a/tests/string.test +++ b/tests/string.test @@ -2015,9 +2015,12 @@ test string-29.4 {string cat, many args} { list $r1 $r2 } {0 0} -test string-30.1 {[Bug ba921a8d98]} { +test string-30.1.1 {[Bug ba921a8d98]: string cat} { string cat [set data [binary format a* hello]] [encoding convertto $data] [unset data] } hellohello +test string-30.1.2 {[Bug ba921a8d98]: inplace cat by subst (compiled to "strcat" instruction)} { + set x "[set data [binary format a* hello]][encoding convertto $data][unset data]" +} hellohello # cleanup -- cgit v0.12 From 590288982511400f0dd0f244fb753b01a8bae140 Mon Sep 17 00:00:00 2001 From: sebres Date: Thu, 26 Jul 2018 18:56:41 +0000 Subject: amend after merge: 8.6th provide additionally an error-code (so missing `errCode = "OVERFLOW"`) --- generic/tclStringObj.c | 1 + 1 file changed, 1 insertion(+) diff --git a/generic/tclStringObj.c b/generic/tclStringObj.c index 3139be4..493378c 100644 --- a/generic/tclStringObj.c +++ b/generic/tclStringObj.c @@ -1878,6 +1878,7 @@ Tcl_AppendFormatToObj( width = strtoul(format, &end, 10); if (width < 0) { msg = overflow; + errCode = "OVERFLOW"; goto errorMsg; } format = end; -- cgit v0.12