#4283 TclpAlloc() - no overflow protection

obsolete: 8.6b1.1
closed-fixed
Don Porter
5
2009-09-29
2009-02-02
Don Porter
No

The TclpAlloc() implementation in
tclThreadAlloc.c accepts an
(unsigned int) argument "reqSize"
for the number of bytes the caller
needs.

If a value greater than
(UINT_MAX - sizeof(Block)) is passed
in, then the calculation of the total
allocation needed including overhead
will overflow the unsigned int range,
and on systems where the range of
size_t is no bigger than the range
of unsigned int, the value of "size"
will overflow and the comparions to
MAXALLOC, etc. may well return bogus
results.

Discussion

  • Don Porter
    Don Porter
    2009-02-02

    Here's a patch.
    File Added: 2557796.patch

     
  • Don Porter
    Don Porter
    2009-02-02

     
    Attachments
  • Don Porter
    Don Porter
    2009-09-29

    fixed on all branches

     
  • Don Porter
    Don Porter
    2009-09-29

    • assigned_to: hobbs --> dgp
    • status: open --> closed-fixed