Menu
▾
▴
[Tcl-bugs] [ tcl-Bugs-3371644 ] Segfault in Tcl_ConvertElement()
|
From: SourceForge.net <no...@so...> - 2011-07-19 18:23:02
|
Bugs item #3371644, was opened at 2011-07-19 19:54 Message generated for change (Comment added) made by ferrieux You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=110894&aid=3371644&group_id=10894 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: 11. Conversions from String Group: current: 8.5.10 Status: Open >Resolution: Fixed Priority: 5 Private: No Submitted By: Thomas Sader (thommey) Assigned to: Jeffrey Hobbs (hobbs) Summary: Segfault in Tcl_ConvertElement() Initial Comment: The testcode at http://paste.tclers.tk/2502 causes tcl8.5.10 (release) and current head to segfault (dereferences garbage pointer). gdb output: Program received signal SIGSEGV, Segmentation fault. 0xb7f6e493 in TclConvertElement ( src=0x8074d0d "O\270\267xO\270\267\200O\270\267`O\270\267", length=-2, dst=0x805fa60 "\\#test\\\\\\\\\\\\", flags=4) at /xtra/src/tcl8.5.10/unix/../generic/tclUtil.c:1363 1363 *p = *src; (gdb) p p $1 = 0x808d000 <Address 0x808d000 out of bounds> (gdb) bt full #0 0xb7f6e493 in TclConvertElement ( src=0x8074d0d "O\270\267xO\270\267\200O\270\267`O\270\267", length=-2, dst=0x805fa60 "\\#test\\\\\\\\\\\\", flags=4) at /usr/src/tcl8.5.10/unix/../generic/tclUtil.c:1363 conversion = 4 p = 0x808d000 <Address 0x808d000 out of bounds> #1 0xb7f6e24a in Tcl_ConvertCountedElement ( src=0x808d000 <Address 0x808d000 out of bounds>, length=-1, dst=0x805fa60 "\\#test\\\\\\\\\\\\", flags=4) at /usr/src/tcl8.5.10/unix/../generic/tclUtil.c:1202 numBytes = -1208557020 #2 0xb7f6e21e in Tcl_ConvertElement ( src=0x8074d0d "O\270\267xO\270\267\200O\270\267`O\270\267", dst=0x808d000 <Address 0x808d000 out of bounds>, flags=79) at /usr/src/tcl8.5.10/unix/../generic/tclUtil.c:1171 No locals. #3 0x080487f8 in main (argc=1, argv=0xbffffa14) at test2.c:20 flags = 4 size = 12 dst = 0x805fa60 "\\#test\\\\\\\\\\\\" src = 0x8048900 "#test\\\\\\" interp = 0x804c9e0 Valgrind: ==6136== Invalid write of size 1 ==6136== at 0x4137493: TclConvertElement (tclUtil.c:1363) ==6136== by 0x4137249: Tcl_ConvertCountedElement (tclUtil.c:1202) ==6136== by 0x413721D: Tcl_ConvertElement (tclUtil.c:1171) ==6136== by 0x80487F7: main (test2.c:20) ==6136== Address 0x437e16d is 0 bytes after a block of size 13 alloc'd ==6136== at 0x4025018: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==6136== by 0x80487C2: main (test2.c:18) ---------------------------------------------------------------------- >Comment By: Alexandre Ferrieux (ferrieux) Date: 2011-07-19 20:23 Message: Fixed in 8.6 HEAD. Leaving open until someone backcommits to 8.5 (properly :P) ---------------------------------------------------------------------- Comment By: Alexandre Ferrieux (ferrieux) Date: 2011-07-19 20:02 Message: Also repro on 8.6 HEAD. There, line 1264 of tclUtil.c has a suspicious "length--" applied to a length of -1. Patch below fixes it and passes the test suite. Index: generic/tclUtil.c =================================================================== --- generic/tclUtil.c +++ generic/tclUtil.c @@ -1259,11 +1259,11 @@ if (conversion == CONVERT_ESCAPE) { p[0] = '\\'; p[1] = '#'; p += 2; src++; - length--; + if (length >=0) length--; } else { conversion = CONVERT_BRACE; } } ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=110894&aid=3371644&group_id=10894 |