Tcl Source Code

View Ticket
Login
Core Home Timeline Branches Tags Tickets Download Wiki
Attach Edit New Ticket Plaintext
2022-04-18
16:56 Closed ticket [0061c7a476]: signed integer overflow in ZipReadInt() plus 7 other changes artifact: 17db8ac299 user: jan.nijtmans
2022-04-16
19:03
Fix [0061c7a476]: signed integer overflow in ZipReadInt() check-in: 22b545403f user: jan.nijtmans tags: core-8-branch
16:41 Ticket [0061c7a476] signed integer overflow in ZipReadInt() status still Open with 3 other changes artifact: 16845da8d4 user: chrstphrchvz
16:40 New ticket [0061c7a476]. artifact: 701f028ce7 user: chrstphrchvz
Ticket UUID: 0061c7a476f141128775d7982dc807f0ecf00d6a
Title: signed integer overflow in ZipReadInt()
Type: Patch Version: core-8-branch
Submitter: chrstphrchvz Created on: 2022-04-16 16:40:27
Subsystem: 37. File System Assigned To: jan.nijtmans
Priority: 5 Medium Severity: Minor
Status: Closed Last Modified: 2022-04-18 16:56:32
Resolution: Fixed Closed By: jan.nijtmans
    Closed on: 2022-04-18 16:56:32
Description:

UBSan (-fsanitize=shift-base) error: 

tcl/generic/tclZipfs.c:470:55: runtime error: left shift of 252 by 24 places cannot be represented in type 'int'

Avoid by casting to unsigned int before shifting: 

--- generic/tclZipfs.c.orig
+++ generic/tclZipfs.c
@@ -467,7 +467,8 @@ ZipReadInt(
        Tcl_Panic("out of bounds read(4): start=%p, end=%p, ptr=%p",
                bufferStart, bufferEnd, ptr);
     }
-    return ptr[0] | (ptr[1] << 8) | (ptr[2] << 16) | (ptr[3] << 24);
+    return ptr[0] | (ptr[1] << 8) | (ptr[2] << 16) |
+           ((unsigned int)ptr[3] << 24);
 }
 
 static inline unsigned short

User Comments: jan.nijtmans added on 2022-04-18 16:56:32:

Fixed [22b545403f|here]

Thanks for the report and the patch!

This page was generated in about 0.011s by Fossil 2.25 [1e4202dec7] 2024-07-29 22:39:01