Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.

Close

#1047 Tcl_ScanCountedElement causes sigsegv on input with \x near

obsolete: 8.2.1
closed-fixed
nobody
2
2001-04-18
2000-10-26
Anonymous
No

OriginalBugID: 3336 Bug
Version: 8.2.1
SubmitDate: '1999-11-05'
LastModified: '1999-12-04'
Severity: CRIT
Status: Released
Submitter: techsupp
ChangedBy: hobbs
OS: Linux
OSVersion: Debian (Potato)
FixedDate: '1999-12-04'
FixedInVersion: 8.2.3
ClosedDate: '2000-10-25'

Name: Patrick Earl

Comments:

This bug affects no less than 8.0.5, 8.2.0, and 8.2.1, probably the

entire 8.x series.

I did not search for other occurences of the same type of bug, where

Tcl_UtfBackslash was called during the parsing of a counted string.

Considering it can be remotely activated depending on the application,

it is an important situation to check for. If you would like, I would

be willing to look over the rest of the Tcl code for the same situation,

although since my knowledge of the Tcl codebase is limited, there may be

people more appropriate for that job.

ReproducibleScript:

Called Tcl_ScanCountedElement with a hex sequence as the last portion of

the string. The string was not null terminated.

ObservedBehavior:

Tcl crashed and burned. In Tcl_ScanCountedElement it called

Tcl_UtfBackslash which parsed the backslash sequence without any regaurd

to where Tcl_ScanCountedElement knows the string ends.

Tcl_ScanCountedElement's loop checks for a != end condition, so if the

end of your string happened to be \x01 and the next character in memory

was a C, Tcl_UtfBackslash would parse it as \x01C and

Tcl_ScanCountedElement would be messed up.

DesiredBehavior:

The loop should check for < instead of !=.

Either that, or there could be an if statement after the

Tcl_UtfBackslash statement checking to see if it went over, and

rectifying the situation if it did.

Patch:

*** tclUtil.c Fri May 21 19:20:13 1999

--- tclUtil.c.new Tue Oct 5 19:59:20 1999

***************

*** 581,587 ****

if ((p == lastChar) || (*p == '{') || (*p == '"')) {

flags |= USE_BRACES;

}

! for ( ; p != lastChar; p++) {

switch (*p) {

case '{':

nestingLevel++;

--- 581,587 ----

if ((p == lastChar) || (*p == '{') || (*p == '"')) {

flags |= USE_BRACES;

}

! for ( ; p < lastChar; p++) {

switch (*p) {

case '{':

nestingLevel++;

PatchFiles:

tclUtil.c

Added to 8.2.3.
-- 12/04/1999 hobbs

Discussion

  • Brent B. Welch
    Brent B. Welch
    2000-10-26

    • priority: 5 --> 2
    • status: open --> closed-fixed
     
  • Don Porter
    Don Porter
    2001-04-18

    • labels: 104246 --> 10. Objects