From: <no...@so...> - 2001-12-22 15:15:54
|
Bugs item #495207, was opened at 2001-12-19 14:49 You can respond by visiting: http://sourceforge.net/tracker/?func=detail&atid=110894&aid=495207&group_id=10894 Category: 43. Parsing and Eval Group: 8.4a4 Status: Open Resolution: None Priority: 9 Submitted By: Joe English (jenglish) >Assigned to: Donal K. Fellows (dkf) Summary: [subst] error on [ = buffer overrun? Initial Comment: [subst] produces garbage when the input contains an incomplete command substitution: set lb {[} set a [subst $lb] First saw this in Tcl 8.4 alpha something (CVS snapshot), but the bug seems to go back as far as Tcl 8.0. Also: subst {[set a 1} ;# missing "]" sets $a to 1 and returns 1; this should probably be an error instead. ---------------------------------------------------------------------- >Comment By: miguel sofer (msofer) Date: 2001-12-22 07:15 Message: Logged In: YES user_id=148712 The error seems to be in Tcl_SubstObj(): it *assumes* that bracket terms are properly terminated, and misbehaves when this assumption is not verified. I am enclosing a patch that resolves this issue. I am not sure if it behaves properly though, I have a question as to what should happen in case of a misformatted bracket term. Specifically: if we request subst {[set a 1} ;# missing "]" this patch causes a to be set to 1, and *then* returns an error. Should it instead return with an error *before* setting a? Donal, I'm assigning back to you for comment on this issue. ---------------------------------------------------------------------- Comment By: Donal K. Fellows (dkf) Date: 2001-12-20 12:19 Message: Logged In: YES user_id=79902 Looks like memory corruption in the hairiest bit of the parser (i.e. when the TCL_BRACKET_TERM flag is set); is it *really* going past the end of the string?!? In any case, this is outside my domain... Upped the severity as [subst] is sometimes used on untrusted data (though it should not be a general problem because anyone not setting -nocommands or controlling what has brackets is asking for trouble anyway) and might have some impact on some important Tcl applications (like webservers...) ---------------------------------------------------------------------- You can respond by visiting: http://sourceforge.net/tracker/?func=detail&atid=110894&aid=495207&group_id=10894 |