[6015221f59] Segfault after overflow of [binary] field specifier nume…

…ric count.
sebres · May 5, 2017 · 8770905 · 8770905
1 parent 144650f
commit 8770905
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 1 deletion.
diff --git a/generic/tclBinary.c b/generic/tclBinary.c
@@ -1528,7 +1528,15 @@ GetFormatSpec(
 	(*formatPtr)++;
 	(*countPtr) = BINARY_ALL;
     } else if (isdigit(UCHAR(**formatPtr))) { /* INTL: digit */
-	(*countPtr) = strtoul(*formatPtr, formatPtr, 10);
+	unsigned long int count;
+
+	errno = 0;
+	count = strtoul(*formatPtr, formatPtr, 10);
+	if (errno || (count > (unsigned long) INT_MAX)) {
+	    (*countPtr) = INT_MAX;
+	} else {
+	    (*countPtr) = (int) count;
+	}
     } else {
 	(*countPtr) = BINARY_NOCOUNT;
     }

diff --git a/tests/binary.test b/tests/binary.test
@@ -1420,6 +1420,18 @@ test binary-37.9 {GetFormatSpec: numbers} {
     binary scan $x f* bla
     set bla
 } {1.0 -1.0 2.0 -2.0 0.0}
+test binary-37.10 {GetFormatSpec: count overflow} {
+    binary scan x a[format %ld 0x7fffffff] r
+} 0
+test binary-37.11 {GetFormatSpec: count overflow} {
+    binary scan x a[format %ld 0x10000000] r
+} 0
+test binary-37.12 {GetFormatSpec: count overflow} {
+    binary scan x a[format %ld 0x100000000] r
+} 0
+test binary-37.13 {GetFormatSpec: count overflow} {
+    binary scan x a[format %lld 0x10000000000000000] r
+} 0
 
 test binary-38.1 {FormatNumber: word alignment} {
     set x [binary format c1s1 1 1]