From: SourceForge.net <no...@so...> - 2003-05-10 23:57:38
|
Bugs item #714106, was opened at 2003-04-02 10:58 Message generated for change (Comment added) made by hobbs You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=110894&aid=714106&group_id=10894 Category: 40. Memory Allocation Group: 8.4.2 >Status: Closed >Resolution: Fixed Priority: 5 Submitted By: Nobody/Anonymous (nobody) Assigned to: Jeffrey Hobbs (hobbs) Summary: [string repeat] may crash Initial Comment: The following code crashes a 32-bit machine (PC): set M [string repeat x 1048576] set G4 [string repeat $M 4096] The culprit is the unchecked length multiplication in line 2110 in "generic/tclCmdMZ.c: length2 = length1 * count; That can overflow. As a result, much less memory gets allocated, than filled after allocation. I suggest to check the multiplication by back-division: if ((length2 / count) != length1) { ...error... } Heiner Marxen he...@in... ---------------------------------------------------------------------- >Comment By: Jeffrey Hobbs (hobbs) Date: 2003-05-10 16:57 Message: Logged In: YES user_id=72656 Closed with the attached patch. I didn't add a test because it would have different behavior on 64-bit ILP systems. Fixed for 8.4.3 and 8.5. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=110894&aid=714106&group_id=10894 |