[Tcl-bugs] [Tcl] (anonymous) tkt (New): Fix signed integer overflow in Tcl_ListObjReplace

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[Tcl-bugs] [Tcl] (anonymous) tkt (New): Fix signed integer overflow in Tcl_ListObjReplace

akupries
Automated mail by fx, on behalf of [hidden email]

Ticket Change [427efc96b901ce9fc459228737010814a5ffa394]
  [Fix signed integer overflow in Tcl_ListObjReplace]
  By      anonymous
  For     Tcl
  On      2017-08-02T06:35:08.911
  Details https://core.tcl.tk/tcl/tinfo?name=427efc96b901ce9fc459228737010814a5ffa394
  Ticket  https://core.tcl.tk/tcl/tktview/c2d22775ce4c6b53e57f3450ab935e1f87a64d23

Changed Fields
  assignee:        nobody
  closer:          nobody
  comment:         Tcl_ListObjReplace contains code:  int first;  int count  ....  if
                   (numElems < first+count || first+count < 0) {  /*  * The 'first+count
                   < 0' condition here guards agains integer  * overflow in determining
                   'first+count'.  */

                   So overflow is expected but it's calculated with signed type which is
                   "undefined behavior"

                   Proposed fix:

                   --- old/generic/tclListObj.c 2015-11-17 17:03:00.000000000 -0800  +++
                   new/generic/tclListObj.c 2017-08-01 23:22:59.000000000 -0700  @@
                   -897,13 +897,16 @@  }  if (count < 0) {  count = 0;  - } else if
                   (numElems < first+count || first+count < 0) {  - /*  - * The
                   'first+count < 0' condition here guards agains integer  - * overflow
                   in determining 'first+count'.  - */  + } else {  + int firstWithCount
                   = (unsigned) first + count;  + if (numElems < firstWithCount ||
                   firstWithCount < 0) {  + /*  + * The 'first+count < 0' condition here
                   guards agains integer  + * overflow in determining 'first+count'.  +
                   */

                   - count = numElems - first;  + count = numElems - first;  + }  }

                   isShared = (listRepPtr->refCount > 1);
  foundin:         8.6.4
  is_private:      0
  login:           anonymous
  priority:        5 Medium
  private_contact: 61ec11df7062b717a200d064063aa94b7b27781c
  resolution:      None
  severity:        Minor
  status:          Open
  submitter:       anonymous
  subsystem:       None
  title:           Fix signed integer overflow in Tcl_ListObjReplace
  type:            Patch

------------------------------------------------------------
See Tcl/Tk development @ http://core.tcl.tk/
------------------------------------------------------------

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Tcl-Bugs mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/tcl-bugs