Menu
▾
▴
[Tcl-bugs] [ tcl-Bugs-3366265 ] buffer overflow due to TclObjInterpProc flaw
|
From: SourceForge.net <no...@so...> - 2011-07-13 17:44:58
|
Bugs item #3366265, was opened at 2011-07-13 13:41 Message generated for change (Comment added) made by dgp You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=110894&aid=3366265&group_id=10894 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: 22. [proc] and [uplevel] Group: obsolete: 8.4.19 Status: Open Resolution: None Priority: 9 Private: No Submitted By: Don Porter (dgp) Assigned to: Don Porter (dgp) Summary: buffer overflow due to TclObjInterpProc flaw Initial Comment: New test in a --enable-symbols=all build : test proc-3.7 {TclObjInterpProc, wrong num args} { proc {} {x} {} list [catch {{}} msg] $msg } {1 {wrong # args: should be "{} x"}} produces this memory validation failure: Test file error: hi guard byte 0 is 0x0 total mallocs 35586 total frees 29673 current packets allocated 5913 current bytes allocated 510073 maximum packets allocated 6380 maximum bytes allocated 576498 high guard failed at 164b5498, /home/dgp/fossil/tcl8.4/unix/../generic/tclProc.c 1161 2 bytes allocated at (/home/dgp/fossil/tcl8.4/unix/../generic/tclProc.c 1158) Memory validation failure Thanks to "jboning" on the chat for reporting. ---------------------------------------------------------------------- >Comment By: Don Porter (dgp) Date: 2011-07-13 13:44 Message: Problem is that line 1158 of tclProc.c allocates a buffer of only 2 bytes to hold the formatted value of the command name "{}", forgetting that Tcl_ConvertCountedElement() needs one additional byte in which to write the terminating NUL. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=110894&aid=3366265&group_id=10894 |