Menu
▾
▴
[Tcl-bugs] [ tcl-Bugs-2971669 ] int overflow in Tcl_ListObjReplace
|
From: SourceForge.net <no...@so...> - 2010-03-18 20:39:04
|
Bugs item #2971669, was opened at 2010-03-16 20:47 Message generated for change (Comment added) made by dgp You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=110894&aid=2971669&group_id=10894 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: 14. List Object Group: development: 8.6b1.1 >Status: Closed >Resolution: Fixed Priority: 5 Private: No Submitted By: Don Porter (dgp) Assigned to: Don Porter (dgp) Summary: int overflow in Tcl_ListObjReplace Initial Comment: tclListObj.c, line 835: } else if (numElems < first+count) { what if "first+count" overflows the int range? ---------------------------------------------------------------------- >Comment By: Don Porter (dgp) Date: 2010-03-18 16:39 Message: and backported for 8.5.9. ---------------------------------------------------------------------- Comment By: Don Porter (dgp) Date: 2010-03-18 16:35 Message: reviewed and committed to HEAD. ---------------------------------------------------------------------- Comment By: Alexandre Ferrieux (ferrieux) Date: 2010-03-17 16:55 Message: A few lines after the fix there's numRequired = numElems - count + objc; which can overflow again; not sure we don't end up with a negative third argument to memmove a few lines down from there. </paranoid> ---------------------------------------------------------------------- Comment By: Kevin B KENNY (kennykb) Date: 2010-03-17 14:23 Message: Patch attached for the submitter's review. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=110894&aid=2971669&group_id=10894 |