Menu
▾
▴
[Tcl-bugs] [ tcl-Bugs-2553906 ] integer overflow in Tcl_AttemptSetObjLength() -> SEGFAULT
|
From: SourceForge.net <no...@so...> - 2009-02-19 21:21:11
|
Bugs item #2553906, was opened at 2009-02-01 00:19 Message generated for change (Comment added) made by matzek You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=110894&aid=2553906&group_id=10894 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: 10. Objects Group: development: 8.6b1.1 Status: Open Resolution: None Priority: 9 Private: No Submitted By: Matthias Kraft (matzek) Assigned to: Don Porter (dgp) Summary: integer overflow in Tcl_AttemptSetObjLength() -> SEGFAULT Initial Comment: Hi *, while testing with various incarnations of data appending to hammer the fix for #2494093, I stumbled over another one... This crash occurs in trunk, core-8-5-branch, as well as 8.4.19. The stack trace below is from HEAD (last updated today 2pm GMT). System is a Linux openSUSE 11.1 x86_64. Code to reproduce is as follows: # ---- proc bar {} { set f [string repeat "DEADBEEF" 1024] ;# for the crash in AppendUtfToUtfRep() set r "" set i 0 while {1} { puts -nonewline stdout "$i\r" set fl [string length $f] if {($fl != [string length $r]) || 1} { append r [string range $f 0 $fl] } incr i $fl } } bar # ---- The stack trace contains the first three levels with local vars, then only the calls... (gdb) bt full #0 0x00007ffff7b6102d in Tcl_AttemptSetObjLength (objPtr=0x637020, length=-2147467264) at /home/matze/cvs/tcl_head/generic/tclStringObj.c:931 stringPtr = (String *) 0x64e0c0 #1 0x00007ffff7b61a37 in AppendUtfToUtfRep (objPtr=0x637020, bytes=0x7ffe70000940 "DEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEF"..., numBytes=8192) at /home/matze/cvs/tcl_head/generic/tclStringObj.c:1491 stringPtr = (String *) 0x64e0c0 newLength = 1073750016 oldLength = 1073741824 #2 0x00007ffff7b61625 in Tcl_AppendObjToObj (objPtr=0x637020, appendObjPtr=0x62c230) at /home/matze/cvs/tcl_head/generic/tclStringObj.c:1269 stringPtr = (String *) 0x7ffe70002950 length = 8192 numChars = 1073750016 allOneByteChars = 1 bytes = 0x7ffe70000940 "DEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEF"... #3 0x00007ffff7b75ccf in TclPtrSetVar (interp=0x606e10, varPtr=0x607e90, arrayPtr=0x0, part1Ptr=0x0, part2Ptr=0x0, newValuePtr=0x62c230, flags=516, index=1) at /home/matze/cvs/tcl_head/generic/tclVar.c:1885 #4 0x00007ffff7afb455 in TclExecuteByteCode (interp=0x606e10, codePtr=0x649360) at /home/matze/cvs/tcl_head/generic/tclExecute.c:3365 #5 0x00007ffff7a8e5d0 in NRCallTEBC (data=0x62bfc8, interp=0x606e10, result=0) at /home/matze/cvs/tcl_head/generic/tclBasic.c:4328 #6 0x00007ffff7a8e28f in TclNRRunCallbacks (interp=0x606e10, result=0, rootPtr=0x0, tebcCall=0) at /home/matze/cvs/tcl_head/generic/tclBasic.c:4243 #7 0x00007ffff7a8ddbc in Tcl_EvalObjv (interp=0x606e10, objc=1, objv=0x607ca0, flags=2097152) at /home/matze/cvs/tcl_head/generic/tclBasic.c:4026 #8 0x00007ffff7a8fd7a in TclEvalEx (interp=0x606e10, script=0x653810 "set i 1234567890\nset n /dev/zero\n\n# Tcl bug 2494093\nproc foo {n i} {\n set f [open $n r]\n fconfigure $f -translation binary -buffering full -buffersize 4096\n\n upvar #0 data($n,raw) r\n set r"..., numBytes=1157, flags=0, line=61) at /home/matze/cvs/tcl_head/generic/tclBasic.c:5121 #9 0x00007ffff7a8f2b9 in Tcl_EvalEx (interp=0x606e10, script=0x653810 "set i 1234567890\nset n /dev/zero\n\n# Tcl bug 2494093\nproc foo {n i} {\n set f [open $n r]\n fconfigure $f -translation binary -buffering full -buffersize 4096\n\n upvar #0 data($n,raw) r\n set r"..., numBytes=1157, flags=0) at /home/matze/cvs/tcl_head/generic/tclBasic.c:4822 #10 0x00007ffff7b2ee71 in Tcl_FSEvalFileEx (interp=0x606e10, pathPtr=0x626c20, encodingName=0x0) at /home/matze/cvs/tcl_head/generic/tclIOUtil.c:1753 #11 0x00007ffff7b37f62 in Tcl_Main (argc=-1, argv=0x7fffffffde68, appInitProc=0x400925 <Tcl_AppInit>) at /home/matze/cvs/tcl_head/generic/tclMain.c:353 #12 0x000000000040091e in main (argc=2, argv=0x7fffffffde58) at /home/matze/cvs/tcl_head/unix/tclAppInit.c:87 If I see that correctly AppendUtfToUtfRep() is missing a check against INT_MAX at some place... -- Matthias Kraft ---------------------------------------------------------------------- >Comment By: Matthias Kraft (matzek) Date: 2009-02-19 22:21 Message: will do, but I am currently overloaded with paid work. It might be not before next week that I will find time ... kind regards -- Matthias Kraft ---------------------------------------------------------------------- Comment By: Don Porter (dgp) Date: 2009-02-18 19:47 Message: please give the HEAD another round of rigorous testing. ---------------------------------------------------------------------- Comment By: Matthias Kraft (matzek) Date: 2009-02-02 17:41 Message: Works for me on 8.4, 8.5, head and tested with AIX, HP-UX, Solaris, and Linux... -- Matthias Kraft ---------------------------------------------------------------------- Comment By: Don Porter (dgp) Date: 2009-02-02 06:50 Message: Fix committed to HEAD. Please test. Backports on hold until a testing report confirms success, and so that they can happen along with those for 2494093. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=110894&aid=2553906&group_id=10894 |