From: SourceForge.net <no...@so...> - 2005-08-25 21:56:36
|
Bugs item #1267380, was opened at 2005-08-23 12:17 Message generated for change (Comment added) made by hobbs You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=110894&aid=1267380&group_id=10894 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: 14. List Object Group: development: 8.5a4 Status: Pending Resolution: Fixed Priority: 9 Submitted By: Don Porter (dgp) Assigned to: Donal K. Fellows (dkf) Summary: UpdateStringOfList: overflow detection Initial Comment: % set x [string repeat a 65536]; concat % set y [lrepeat 65536 $x]; concat % string length $y Segmentation fault The string rep of $y would need a buffer of 4295032831 bytes, but that exceeds INT_MAX. When the scanner (over-)estimates the buffer size, it tries to count up the need for 4295163905 bytes, but the calculation overflows, wraps around and it concludes the need for only 196609 bytes. This gets allocated easily, and we happily start writing to this way too short buffer until we march off into segfaulting . Would be better for the scanner to detect the overflow (any negative length should be the indicator) and Tcl_Panic, I think. ---------------------------------------------------------------------- >Comment By: Jeffrey Hobbs (hobbs) Date: 2005-08-25 14:56 Message: Logged In: YES user_id=72656 as a possible buffer overflow, yes please. ---------------------------------------------------------------------- Comment By: Donal K. Fellows (dkf) Date: 2005-08-25 14:49 Message: Logged In: YES user_id=79902 Fixed in HEAD; does this need backporting? ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=110894&aid=1267380&group_id=10894 |