#4802 TclFindElement permits buffer overrun

obsolete: 8.5.9
closed-fixed
5
2011-03-06
2011-02-25
Don Porter
No

The TclFindElement() routine accepts a pair of
arguments (CONST char *list) and (int listLength)
which determine the string to be parsed.

Examination of that string ought not continue beyond
the byte (list + listLength) but if that point happens
in the middle of a backslash escape sequence, nothing
is done to prevent it.

Looking for any ways to demo this via public access...

Discussion

  • Don Porter

    Don Porter - 2011-02-25

    % testparser {{*}\u218} 8
    - {{*}\u218} 1 expand {{*}\u218} 1 backslash {\u218} 0 {}

    % testparser {{*}\u218} 7
    - \{*\}\\u218\}¾r\n 1 expand \{*\}\\u218\}¾r 12 backslash {\u218} 0 text 0 text \} 0 text 0 text 0 text ¾ 0 text 0 text 0 text 0 text r 0 text 0 text 0 {}

     
  • Don Porter

    Don Porter - 2011-03-05

    That actually demos a different bug in TclParseBackslash.

     
  • Don Porter

    Don Porter - 2011-03-06

    see 3200987

     
  • Don Porter

    Don Porter - 2011-03-06

    OK, with that bug fixed, there's no way
    a script can run into this problem. We
    can declare it "not a bug" so long as we
    add a precondition for all callers of this
    private routine that *(list+listLength) == `\0` .

    Since most of the time, the string being parsed
    is the bytes field of a Tcl_Obj, this is usually
    easily satisfied.

     
  • Don Porter

    Don Porter - 2011-03-06
    • milestone: --> obsolete: 8.5.9
    • assigned_to: nobody --> dgp
    • labels: --> 45. Parsing and Eval
    • status: open --> pending-wont-fix
     
  • Don Porter

    Don Porter - 2011-03-06

    Nah, it's too simple a fix not to fix it.
    The only real snag is no easy way to
    add a test.

     
  • Don Porter

    Don Porter - 2011-03-06
    • status: pending-wont-fix --> open-wont-fix
     
  • Don Porter

    Don Porter - 2011-03-06
    • status: open-wont-fix --> closed-fixed
     
  • Don Porter

    Don Porter - 2011-03-06

    fixed in all open branches

     

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks