Menu
▾
▴
[Tcl-bugs] [ tcl-Bugs-2557796 ] TclpAlloc() - no overflow protection
|
From: SourceForge.net <no...@so...> - 2009-02-02 18:31:58
|
Bugs item #2557796, was opened at 2009-02-02 13:31 Message generated for change (Tracker Item Submitted) made by Item Submitter You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=110894&aid=2557796&group_id=10894 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: 41. Memory Allocation Group: development: 8.6b1.1 Status: Open Resolution: None Priority: 5 Private: No Submitted By: Don Porter (dgp) Assigned to: Jeffrey Hobbs (hobbs) Summary: TclpAlloc() - no overflow protection Initial Comment: The TclpAlloc() implementation in tclThreadAlloc.c accepts an (unsigned int) argument "reqSize" for the number of bytes the caller needs. If a value greater than (UINT_MAX - sizeof(Block)) is passed in, then the calculation of the total allocation needed including overhead will overflow the unsigned int range, and on systems where the range of size_t is no bigger than the range of unsigned int, the value of "size" will overflow and the comparions to MAXALLOC, etc. may well return bogus results. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=110894&aid=2557796&group_id=10894 |