#3820 off-by-one error in parser unbalanced brace in comment check

obsolete: 8.5b1
closed-fixed
5
2007-10-15
2007-10-15
No

This bug is present in both 8.4 and 8.5 (HEAD).

In Tcl_ParseBraces, near line 1671 in HEAD we see:

src = start;

A couple lines later, src is updated in a loop:

while (++src, --numBytes) {
<snip>

If this loop terminates due to numBytes being zero, src may point one character beyond the end of the string.

The real problem arises in the error handling code that attempts to search backwards for the open brace inside of a comment, near line 1788:

for (; src > start; src--) {
switch (*src) {
<snip>

At the point the switch statement is executed, src still may point one character beyond the end of the string.

A possible fix for this issue is to change the loop as follows:

for (src--; src > start; src--) {
switch (*src) {
<snip>

Discussion

  • miguel sofer

    miguel sofer - 2007-10-15

    Logged In: YES
    user_id=148712
    Originator: NO

    Thx, fixed by changing the second loop to
    while(--src > start) { ... }

    The bug was possibly harmless in most situations - the next character would almost always have been a terminal \0.

     
  • miguel sofer

    miguel sofer - 2007-10-15
    • status: open --> closed-fixed