2022-04-18
| ||
16:56 | • Closed ticket [0061c7a476]: signed integer overflow in ZipReadInt() plus 7 other changes artifact: 17db8ac299 user: jan.nijtmans | |
2022-04-16
| ||
19:03 | Fix [0061c7a476]: signed integer overflow in ZipReadInt() check-in: 22b545403f user: jan.nijtmans tags: core-8-branch | |
16:41 | • Ticket [0061c7a476] signed integer overflow in ZipReadInt() status still Open with 3 other changes artifact: 16845da8d4 user: chrstphrchvz | |
16:40 | • New ticket [0061c7a476]. artifact: 701f028ce7 user: chrstphrchvz | |
Ticket UUID: | 0061c7a476f141128775d7982dc807f0ecf00d6a | |||
Title: | signed integer overflow in ZipReadInt() | |||
Type: | Patch | Version: | core-8-branch | |
Submitter: | chrstphrchvz | Created on: | 2022-04-16 16:40:27 | |
Subsystem: | 37. File System | Assigned To: | jan.nijtmans | |
Priority: | 5 Medium | Severity: | Minor | |
Status: | Closed | Last Modified: | 2022-04-18 16:56:32 | |
Resolution: | Fixed | Closed By: | jan.nijtmans | |
Closed on: | 2022-04-18 16:56:32 | |||
Description: |
UBSan (-fsanitize=shift-base) error:
Avoid by casting to unsigned int before shifting: --- generic/tclZipfs.c.orig +++ generic/tclZipfs.c @@ -467,7 +467,8 @@ ZipReadInt( Tcl_Panic("out of bounds read(4): start=%p, end=%p, ptr=%p", bufferStart, bufferEnd, ptr); } - return ptr[0] | (ptr[1] << 8) | (ptr[2] << 16) | (ptr[3] << 24); + return ptr[0] | (ptr[1] << 8) | (ptr[2] << 16) | + ((unsigned int)ptr[3] << 24); } static inline unsigned short | |||
User Comments: |
jan.nijtmans added on 2022-04-18 16:56:32:
Fixed [22b545403f|here] Thanks for the report and the patch! |