From 0dee7bed88062709f786693dc2edb4a33510db19 Mon Sep 17 00:00:00 2001 From: apnadkarni Date: Tue, 15 Jul 2025 03:31:20 +0000 Subject: Proposed fix for [c9f0520f7e] Tcl_SplitList crash. --- generic/tclUtil.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/generic/tclUtil.c b/generic/tclUtil.c index 0d2df75..442098c 100644 --- a/generic/tclUtil.c +++ b/generic/tclUtil.c @@ -835,7 +835,7 @@ TclCopyAndCollapse( * with the number of valid elements in the array. A single block of * memory is dynamically allocated to hold both the argv array and a copy * of the list (with backslashes and braces removed in the standard way). - * The caller must eventually free this memory by calling free() on + * The caller must eventually free this memory by calling Tcl_Free() on * *argvPtr. Note: *argvPtr and *argcPtr are only modified if the * function returns normally. * @@ -869,6 +869,11 @@ Tcl_SplitList( size = TclMaxListLength(list, -1, &end) + 1; length = end - list; + if (size >= (INT_MAX/sizeof(char *)) || + length > (INT_MAX - 1 - (size * sizeof(char *)))) { + Tcl_SetResult(interp, "memory allocation limit exceeded", TCL_STATIC); + return TCL_ERROR; + } argv = (const char **)ckalloc((size * sizeof(char *)) + length + 1); for (i = 0, p = ((char *) argv) + size*sizeof(char *); -- cgit v0.12 From 4562b6d22c9ebabdc76c4bb5810cd0875fea6a8d Mon Sep 17 00:00:00 2001 From: "jan.nijtmans" Date: Tue, 15 Jul 2025 10:14:35 +0000 Subject: Minor review comment (since 8.6 still uses ckfree) --- generic/tclUtil.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/generic/tclUtil.c b/generic/tclUtil.c index 442098c..623e280 100644 --- a/generic/tclUtil.c +++ b/generic/tclUtil.c @@ -835,7 +835,7 @@ TclCopyAndCollapse( * with the number of valid elements in the array. A single block of * memory is dynamically allocated to hold both the argv array and a copy * of the list (with backslashes and braces removed in the standard way). - * The caller must eventually free this memory by calling Tcl_Free() on + * The caller must eventually free this memory by calling ckfree() on * *argvPtr. Note: *argvPtr and *argcPtr are only modified if the * function returns normally. * -- cgit v0.12 From 71581e9afa46c4b20c097d411398992dfaa95e86 Mon Sep 17 00:00:00 2001 From: apnadkarni Date: Wed, 16 Jul 2025 11:26:46 +0000 Subject: Check interp for NULL before storing error! --- generic/tclUtil.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/generic/tclUtil.c b/generic/tclUtil.c index 623e280..55c7212 100644 --- a/generic/tclUtil.c +++ b/generic/tclUtil.c @@ -871,7 +871,10 @@ Tcl_SplitList( length = end - list; if (size >= (INT_MAX/sizeof(char *)) || length > (INT_MAX - 1 - (size * sizeof(char *)))) { - Tcl_SetResult(interp, "memory allocation limit exceeded", TCL_STATIC); + if (interp) { + Tcl_SetResult( + interp, "memory allocation limit exceeded", TCL_STATIC); + } return TCL_ERROR; } argv = (const char **)ckalloc((size * sizeof(char *)) + length + 1); -- cgit v0.12