Menu
▾
▴
#63 Possible Stack Corruption in TclX_RelativeExpr()
TCL-Example:
set x [list]
lvarpop x 0. ; # intentionally non-int as 2nd argument
This can really crash your app, since a bug in TclX_RelativeExpr() may trash the stack.
The code that tests, whether the last argument is an integer, an expression or an expression in the form of "end"<+expr>
is faulty.
--- tclXutil.c, line 364 ---
if (!(STRNEQU (exprStr, "end", 3) ||
STRNEQU (exprStr, "len", 3))) {
if (Tcl_ExprLong (interp, exprStr, &longResult) != TCL_OK) {
While the name of the string comparing macro ends with "EQU" it does not test for equality of strings. It just
calls strncmp. The result of this is that the expression in "if" can never be true, which eventually leads to
this code being executed:
--- tclXutil.c, line 382 ---
strcat (buf, exprStr + 3);
Now exprStr is surely expected to contain something starting with three letters ("end", or "len"), but can actually contain anything.
So if the string exprStr points to is shorter than 3 characters, stack corruption might happen.
So the expression on line 364 should read
if (STRNEQU (exprStr, "end", 3) &&
STRNEQU (exprStr, "len", 3)) {
if (Tcl_ExprLong (interp, exprStr, &longResult) != TCL_OK) {
