From: SourceForge.net <no...@so...> - 2009-08-27 19:22:15
|
Bugs item #2845535, was opened at 2009-08-27 08:38 Message generated for change (Comment added) made by dgp You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=110894&aid=2845535&group_id=10894 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: 10. Objects Group: development: 8.6b1.1 Status: Open Resolution: None Priority: 9 Private: No Submitted By: Joe Mistachkin (mistachkin) Assigned to: Don Porter (dgp) Summary: string overflow panic in [format] Initial Comment: The following command triggers a crash in 8.4, 8.5, and HEAD: format "%.2147483647f" 2 The following command triggers a crash in 8.5 and HEAD (in 8.4 it produces some kind of result): format "%2147483647.f" 2 The following code (near line 2187) in "generic\tclStringObj.c" is a bit problematic due to unchecked usage of sprintf with a fixed size buffer: char spec[2*TCL_INTEGER_SPACE + 9], *p = spec; <snip> if (width) { p += sprintf(p, "%d", width); if (width > length) { length = width; } } if (gotPrecision) { *p++ = '.'; p += sprintf(p, "%d", precision); length += precision; } ---------------------------------------------------------------------- >Comment By: Don Porter (dgp) Date: 2009-08-27 15:22 Message: patch attached ---------------------------------------------------------------------- Comment By: Don Porter (dgp) Date: 2009-08-27 14:34 Message: The Tcl code is not written with the possibility that sprintf() might raise an error, which according to the linux platform docs is done by returning a negative value. ---------------------------------------------------------------------- Comment By: Don Porter (dgp) Date: 2009-08-27 12:30 Message: For the second example, on a system where I avoid a mem alloc panic, I also see a panic, not a crash: % format "%2147483647.f" 2 Tcl_SetObjLength: negative length requested: -1 (integer overflow?) ---------------------------------------------------------------------- Comment By: Don Porter (dgp) Date: 2009-08-27 12:23 Message: on the 8.5 and HEAD branches I see a panic, not a crash: % format %.2147483647f 2 Tcl_SetObjLength: negative length requested: -2147483329 (integer overflow?) In 8.4, I see: % format %.2147483647f 2 % ---------------------------------------------------------------------- Comment By: Don Porter (dgp) Date: 2009-08-27 10:05 Message: Any relation to 2838354 ? ---------------------------------------------------------------------- Comment By: Joe Mistachkin (mistachkin) Date: 2009-08-27 08:58 Message: Further analysis reveals that I am tired. The actual line (near 2235) which causes the problem is: Tcl_SetObjLength(segment, sprintf(bytes, spec, d)); ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=110894&aid=2845535&group_id=10894 |