Learn how easy it is to sync an existing GitHub or Google Code repo to a SourceForge project! See Demo

Close

#3962 binary format crashes on x0s format string

obsolete: 8.5.1
closed-fixed
Pat Thoyts
9
2008-03-24
2008-03-24
No

[binary format] crashes when the "x" type character is present in the format string with the zero count attached and followed by any other meaningful type character that gets assigned a value:

% binary format x0s 1

Program received signal SIGSEGV, Segmentation fault.
0xb7edc7e0 in FormatNumber (interp=0x804c8d8, type=115, src=0x2,
cursorPtr=0xbfeceeb0)
at /home/kostix/devel/src/tcl/unix/../generic/tclBinary.c:1756
1756 if (TclGetLongFromObj(interp, src, &value) != TCL_OK) {
(gdb) bt
#0 0xb7edc7e0 in FormatNumber (interp=0x804c8d8, type=115, src=0x2,
cursorPtr=0xbfeceeb0)
at /home/kostix/devel/src/tcl/unix/../generic/tclBinary.c:1756
#1 0xb7edb42b in Tcl_BinaryObjCmd (dummy=0x0, interp=0x804c8d8, objc=4,
objv=0x804cf70)
at /home/kostix/devel/src/tcl/unix/../generic/tclBinary.c:988
#2 0xb7ed6266 in TclEvalObjvInternal (interp=0x804c8d8, objc=4,
objv=0x804cf70, command=0xffffffff <Address 0xffffffff out of bounds>,
length=-1, flags=0)
at /home/kostix/devel/src/tcl/unix/../generic/tclBasic.c:3649
#3 0xb7f2da77 in TclExecuteByteCode (interp=0x804c8d8, codePtr=0x806b8d0)
at /home/kostix/devel/src/tcl/unix/../generic/tclExecute.c:2314
#4 0xb7f2b897 in TclCompEvalObj (interp=0x804c8d8, objPtr=0x805c228,
invoker=0x0, word=0)
at /home/kostix/devel/src/tcl/unix/../generic/tclExecute.c:1460
#5 0xb7ed7c22 in TclEvalObjEx (interp=0x804c8d8, objPtr=0x805c228,
flags=131072, invoker=0x0, word=0)
at /home/kostix/devel/src/tcl/unix/../generic/tclBasic.c:4763
#6 0xb7ed7730 in Tcl_EvalObjEx (interp=0x804c8d8, objPtr=0x2, flags=131072)
at /home/kostix/devel/src/tcl/unix/../generic/tclBasic.c:4555
#7 0xb7f4418c in Tcl_RecordAndEvalObj (interp=0x804c8d8, cmdPtr=0x805c228,
flags=131072)
at /home/kostix/devel/src/tcl/unix/../generic/tclHistory.c:161
#8 0xb7f67b4d in Tcl_Main (argc=-1, argv=0xbfecff68,
appInitProc=0x804864b <Tcl_AppInit>)
at /home/kostix/devel/src/tcl/unix/../generic/tclMain.c:554
#9 0x0804863c in main (argc=Cannot access memory at address 0x73
)
at /home/kostix/devel/src/tcl/unix/../unix/tclAppInit.c:87

Verified to crash current CVS HEAD (8.5.1b2) and 8.4.16.

Probably the "x" type character with zero count should be treated as no-op (since it is a no-op, logically). Halding of this is useful for auto-generated format strings, such as in
set pad [calculate NUL-padding]
append s [binary format x${pad}... ...]

Discussion

  • Pat Thoyts
    Pat Thoyts
    2008-03-24

    • milestone: --> obsolete: 8.5.1
    • priority: 5 --> 9
     
  • Pat Thoyts
    Pat Thoyts
    2008-03-24

    Logged In: YES
    user_id=202636
    Originator: NO

    It's hitting a special case that short-circuits the loop in Tcl_BinaryObjCmd that also increments the argument counter. Added some tests and fixed by checking for both '@' and 'x' in the short-circuit test.

     
  • Pat Thoyts
    Pat Thoyts
    2008-03-24

    Logged In: YES
    user_id=202636
    Originator: NO

    Fixed in HEAD

     
  • Pat Thoyts
    Pat Thoyts
    2008-03-24

    Logged In: YES
    user_id=202636
    Originator: NO

    Backported to core-8-4-branch

     
  • Pat Thoyts
    Pat Thoyts
    2008-03-24

    • status: open --> closed-fixed
     
    • assigned_to: dkf --> patthoyts