From: SourceForge.net <no...@so...> - 2011-02-25 21:27:26
|
Bugs item #3192636, was opened at 2011-02-25 16:27 Message generated for change (Tracker Item Submitted) made by dgp You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=110894&aid=3192636&group_id=10894 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: None Group: None Status: Open Resolution: None Priority: 5 Private: No Submitted By: Don Porter (dgp) Assigned to: Nobody/Anonymous (nobody) Summary: TclFindElement permits buffer overrun Initial Comment: The TclFindElement() routine accepts a pair of arguments (CONST char *list) and (int listLength) which determine the string to be parsed. Examination of that string ought not continue beyond the byte (list + listLength) but if that point happens in the middle of a backslash escape sequence, nothing is done to prevent it. Looking for any ways to demo this via public access... ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=110894&aid=3192636&group_id=10894 |
From: SourceForge.net <no...@so...> - 2011-02-25 21:49:28
|
Bugs item #3192636, was opened at 2011-02-25 16:27 Message generated for change (Comment added) made by dgp You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=110894&aid=3192636&group_id=10894 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: None Group: None Status: Open Resolution: None Priority: 5 Private: No Submitted By: Don Porter (dgp) Assigned to: Nobody/Anonymous (nobody) Summary: TclFindElement permits buffer overrun Initial Comment: The TclFindElement() routine accepts a pair of arguments (CONST char *list) and (int listLength) which determine the string to be parsed. Examination of that string ought not continue beyond the byte (list + listLength) but if that point happens in the middle of a backslash escape sequence, nothing is done to prevent it. Looking for any ways to demo this via public access... ---------------------------------------------------------------------- >Comment By: Don Porter (dgp) Date: 2011-02-25 16:49 Message: % testparser {{*}\u218} 8 - {{*}\u218} 1 expand {{*}\u218} 1 backslash {\u218} 0 {} % testparser {{*}\u218} 7 - \{*\}\\u218\}¾r\n 1 expand \{*\}\\u218\}¾r 12 backslash {\u218} 0 text 0 text \} 0 text 0 text 0 text ¾ 0 text 0 text 0 text 0 text r 0 text 0 text 0 {} ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=110894&aid=3192636&group_id=10894 |
From: SourceForge.net <no...@so...> - 2011-03-05 07:38:58
|
Bugs item #3192636, was opened at 2011-02-25 16:27 Message generated for change (Comment added) made by dgp You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=110894&aid=3192636&group_id=10894 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: None Group: None Status: Open Resolution: None Priority: 5 Private: No Submitted By: Don Porter (dgp) Assigned to: Nobody/Anonymous (nobody) Summary: TclFindElement permits buffer overrun Initial Comment: The TclFindElement() routine accepts a pair of arguments (CONST char *list) and (int listLength) which determine the string to be parsed. Examination of that string ought not continue beyond the byte (list + listLength) but if that point happens in the middle of a backslash escape sequence, nothing is done to prevent it. Looking for any ways to demo this via public access... ---------------------------------------------------------------------- >Comment By: Don Porter (dgp) Date: 2011-03-05 02:38 Message: That actually demos a different bug in TclParseBackslash. ---------------------------------------------------------------------- Comment By: Don Porter (dgp) Date: 2011-02-25 16:49 Message: % testparser {{*}\u218} 8 - {{*}\u218} 1 expand {{*}\u218} 1 backslash {\u218} 0 {} % testparser {{*}\u218} 7 - \{*\}\\u218\}¾r\n 1 expand \{*\}\\u218\}¾r 12 backslash {\u218} 0 text 0 text \} 0 text 0 text 0 text ¾ 0 text 0 text 0 text 0 text r 0 text 0 text 0 {} ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=110894&aid=3192636&group_id=10894 |
From: SourceForge.net <no...@so...> - 2011-03-06 04:36:58
|
Bugs item #3192636, was opened at 2011-02-25 16:27 Message generated for change (Comment added) made by dgp You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=110894&aid=3192636&group_id=10894 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: None Group: None Status: Open Resolution: None Priority: 5 Private: No Submitted By: Don Porter (dgp) Assigned to: Nobody/Anonymous (nobody) Summary: TclFindElement permits buffer overrun Initial Comment: The TclFindElement() routine accepts a pair of arguments (CONST char *list) and (int listLength) which determine the string to be parsed. Examination of that string ought not continue beyond the byte (list + listLength) but if that point happens in the middle of a backslash escape sequence, nothing is done to prevent it. Looking for any ways to demo this via public access... ---------------------------------------------------------------------- >Comment By: Don Porter (dgp) Date: 2011-03-05 23:36 Message: see 3200987 ---------------------------------------------------------------------- Comment By: Don Porter (dgp) Date: 2011-03-05 02:38 Message: That actually demos a different bug in TclParseBackslash. ---------------------------------------------------------------------- Comment By: Don Porter (dgp) Date: 2011-02-25 16:49 Message: % testparser {{*}\u218} 8 - {{*}\u218} 1 expand {{*}\u218} 1 backslash {\u218} 0 {} % testparser {{*}\u218} 7 - \{*\}\\u218\}¾r\n 1 expand \{*\}\\u218\}¾r 12 backslash {\u218} 0 text 0 text \} 0 text 0 text 0 text ¾ 0 text 0 text 0 text 0 text r 0 text 0 text 0 {} ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=110894&aid=3192636&group_id=10894 |
From: SourceForge.net <no...@so...> - 2011-03-06 17:53:52
|
Bugs item #3192636, was opened at 2011-02-25 16:27 Message generated for change (Comment added) made by dgp You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=110894&aid=3192636&group_id=10894 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. >Category: 45. Parsing and Eval >Group: current: 8.5.9 >Status: Pending >Resolution: Wont Fix Priority: 5 Private: No Submitted By: Don Porter (dgp) >Assigned to: Don Porter (dgp) Summary: TclFindElement permits buffer overrun Initial Comment: The TclFindElement() routine accepts a pair of arguments (CONST char *list) and (int listLength) which determine the string to be parsed. Examination of that string ought not continue beyond the byte (list + listLength) but if that point happens in the middle of a backslash escape sequence, nothing is done to prevent it. Looking for any ways to demo this via public access... ---------------------------------------------------------------------- >Comment By: Don Porter (dgp) Date: 2011-03-06 12:53 Message: OK, with that bug fixed, there's no way a script can run into this problem. We can declare it "not a bug" so long as we add a precondition for all callers of this private routine that *(list+listLength) == `\0` . Since most of the time, the string being parsed is the bytes field of a Tcl_Obj, this is usually easily satisfied. ---------------------------------------------------------------------- Comment By: Don Porter (dgp) Date: 2011-03-05 23:36 Message: see 3200987 ---------------------------------------------------------------------- Comment By: Don Porter (dgp) Date: 2011-03-05 02:38 Message: That actually demos a different bug in TclParseBackslash. ---------------------------------------------------------------------- Comment By: Don Porter (dgp) Date: 2011-02-25 16:49 Message: % testparser {{*}\u218} 8 - {{*}\u218} 1 expand {{*}\u218} 1 backslash {\u218} 0 {} % testparser {{*}\u218} 7 - \{*\}\\u218\}¾r\n 1 expand \{*\}\\u218\}¾r 12 backslash {\u218} 0 text 0 text \} 0 text 0 text 0 text ¾ 0 text 0 text 0 text 0 text r 0 text 0 text 0 {} ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=110894&aid=3192636&group_id=10894 |
From: SourceForge.net <no...@so...> - 2011-03-06 19:53:13
|
Bugs item #3192636, was opened at 2011-02-25 16:27 Message generated for change (Comment added) made by dgp You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=110894&aid=3192636&group_id=10894 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: 45. Parsing and Eval Group: current: 8.5.9 >Status: Open Resolution: Wont Fix Priority: 5 Private: No Submitted By: Don Porter (dgp) Assigned to: Don Porter (dgp) Summary: TclFindElement permits buffer overrun Initial Comment: The TclFindElement() routine accepts a pair of arguments (CONST char *list) and (int listLength) which determine the string to be parsed. Examination of that string ought not continue beyond the byte (list + listLength) but if that point happens in the middle of a backslash escape sequence, nothing is done to prevent it. Looking for any ways to demo this via public access... ---------------------------------------------------------------------- >Comment By: Don Porter (dgp) Date: 2011-03-06 14:53 Message: Nah, it's too simple a fix not to fix it. The only real snag is no easy way to add a test. ---------------------------------------------------------------------- Comment By: Don Porter (dgp) Date: 2011-03-06 12:53 Message: OK, with that bug fixed, there's no way a script can run into this problem. We can declare it "not a bug" so long as we add a precondition for all callers of this private routine that *(list+listLength) == `\0` . Since most of the time, the string being parsed is the bytes field of a Tcl_Obj, this is usually easily satisfied. ---------------------------------------------------------------------- Comment By: Don Porter (dgp) Date: 2011-03-05 23:36 Message: see 3200987 ---------------------------------------------------------------------- Comment By: Don Porter (dgp) Date: 2011-03-05 02:38 Message: That actually demos a different bug in TclParseBackslash. ---------------------------------------------------------------------- Comment By: Don Porter (dgp) Date: 2011-02-25 16:49 Message: % testparser {{*}\u218} 8 - {{*}\u218} 1 expand {{*}\u218} 1 backslash {\u218} 0 {} % testparser {{*}\u218} 7 - \{*\}\\u218\}¾r\n 1 expand \{*\}\\u218\}¾r 12 backslash {\u218} 0 text 0 text \} 0 text 0 text 0 text ¾ 0 text 0 text 0 text 0 text r 0 text 0 text 0 {} ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=110894&aid=3192636&group_id=10894 |
From: SourceForge.net <no...@so...> - 2011-03-06 20:07:45
|
Bugs item #3192636, was opened at 2011-02-25 16:27 Message generated for change (Comment added) made by dgp You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=110894&aid=3192636&group_id=10894 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: 45. Parsing and Eval Group: current: 8.5.9 >Status: Closed >Resolution: Fixed Priority: 5 Private: No Submitted By: Don Porter (dgp) Assigned to: Don Porter (dgp) Summary: TclFindElement permits buffer overrun Initial Comment: The TclFindElement() routine accepts a pair of arguments (CONST char *list) and (int listLength) which determine the string to be parsed. Examination of that string ought not continue beyond the byte (list + listLength) but if that point happens in the middle of a backslash escape sequence, nothing is done to prevent it. Looking for any ways to demo this via public access... ---------------------------------------------------------------------- >Comment By: Don Porter (dgp) Date: 2011-03-06 15:07 Message: fixed in all open branches ---------------------------------------------------------------------- Comment By: Don Porter (dgp) Date: 2011-03-06 14:53 Message: Nah, it's too simple a fix not to fix it. The only real snag is no easy way to add a test. ---------------------------------------------------------------------- Comment By: Don Porter (dgp) Date: 2011-03-06 12:53 Message: OK, with that bug fixed, there's no way a script can run into this problem. We can declare it "not a bug" so long as we add a precondition for all callers of this private routine that *(list+listLength) == `\0` . Since most of the time, the string being parsed is the bytes field of a Tcl_Obj, this is usually easily satisfied. ---------------------------------------------------------------------- Comment By: Don Porter (dgp) Date: 2011-03-05 23:36 Message: see 3200987 ---------------------------------------------------------------------- Comment By: Don Porter (dgp) Date: 2011-03-05 02:38 Message: That actually demos a different bug in TclParseBackslash. ---------------------------------------------------------------------- Comment By: Don Porter (dgp) Date: 2011-02-25 16:49 Message: % testparser {{*}\u218} 8 - {{*}\u218} 1 expand {{*}\u218} 1 backslash {\u218} 0 {} % testparser {{*}\u218} 7 - \{*\}\\u218\}¾r\n 1 expand \{*\}\\u218\}¾r 12 backslash {\u218} 0 text 0 text \} 0 text 0 text 0 text ¾ 0 text 0 text 0 text 0 text r 0 text 0 text 0 {} ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=110894&aid=3192636&group_id=10894 |