Menu
▾
▴
[Tcl-bugs] [ tcl-Bugs-3192636 ] TclFindElement permits buffer overrun
|
From: SourceForge.net <no...@so...> - 2011-03-06 17:53:52
|
Bugs item #3192636, was opened at 2011-02-25 16:27 Message generated for change (Comment added) made by dgp You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=110894&aid=3192636&group_id=10894 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. >Category: 45. Parsing and Eval >Group: current: 8.5.9 >Status: Pending >Resolution: Wont Fix Priority: 5 Private: No Submitted By: Don Porter (dgp) >Assigned to: Don Porter (dgp) Summary: TclFindElement permits buffer overrun Initial Comment: The TclFindElement() routine accepts a pair of arguments (CONST char *list) and (int listLength) which determine the string to be parsed. Examination of that string ought not continue beyond the byte (list + listLength) but if that point happens in the middle of a backslash escape sequence, nothing is done to prevent it. Looking for any ways to demo this via public access... ---------------------------------------------------------------------- >Comment By: Don Porter (dgp) Date: 2011-03-06 12:53 Message: OK, with that bug fixed, there's no way a script can run into this problem. We can declare it "not a bug" so long as we add a precondition for all callers of this private routine that *(list+listLength) == `\0` . Since most of the time, the string being parsed is the bytes field of a Tcl_Obj, this is usually easily satisfied. ---------------------------------------------------------------------- Comment By: Don Porter (dgp) Date: 2011-03-05 23:36 Message: see 3200987 ---------------------------------------------------------------------- Comment By: Don Porter (dgp) Date: 2011-03-05 02:38 Message: That actually demos a different bug in TclParseBackslash. ---------------------------------------------------------------------- Comment By: Don Porter (dgp) Date: 2011-02-25 16:49 Message: % testparser {{*}\u218} 8 - {{*}\u218} 1 expand {{*}\u218} 1 backslash {\u218} 0 {} % testparser {{*}\u218} 7 - \{*\}\\u218\}¾r\n 1 expand \{*\}\\u218\}¾r 12 backslash {\u218} 0 text 0 text \} 0 text 0 text 0 text ¾ 0 text 0 text 0 text 0 text r 0 text 0 text 0 {} ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=110894&aid=3192636&group_id=10894 |