Tcl Source Code

Check-in [28ef6c0c74]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Fix [bad6cc213d]: A format string vulnerability in Tcl nmakehelp.c allows code execution via a crated file. Also change a memcpy() to a memmove(), because the range could be overlapping
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | core-8-5-branch
Files: files | file ages | folders
SHA3-256: 28ef6c0c741408a2defd50daf1ce359a95b4b9dac6e378b46b0ec34cefdf857f
User & Date: jan.nijtmans 2021-06-22 09:02:00
References
2021-06-22
09:17 Closed ticket [7079e4f916]: A stack overflow vulnerability in Tcl nmakehelp.c allows code execution via a crated file plus 8 other changes artifact: 81b23a128d user: jan.nijtmans
09:11 Closed ticket [bad6cc213d]: A format string vulnerability in Tcl nmakehelp.c allows code execution via a crated file. plus 8 other changes artifact: b905b3d21a user: jan.nijtmans
Context
2021-06-22
13:19
More code cleanup, eliminating various compiler warnings with stricter flags. No need to even use st... check-in: f2ea4ea1fe user: jan.nijtmans tags: core-8-5-branch
09:03
Merge 8.5 check-in: 679be274e1 user: jan.nijtmans tags: core-8-6-branch
09:02
Fix [bad6cc213d]: A format string vulnerability in Tcl nmakehelp.c allows code execution via a crate... check-in: 28ef6c0c74 user: jan.nijtmans tags: core-8-5-branch
2021-06-18
12:24
Update all "cp" and "iso8859-?" encodings to the latest version. This adds 3 new codepoints to iso88... check-in: 49b98f3a2f user: jan.nijtmans tags: core-8-5-branch
Changes
Unified Diff Ignore Whitespace Patch
Changes to win/nmakehlp.c.
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547

		q = p;
		while (*q && (strchr("0123456789.ab", *q)) && ((!strchr(".ab", *q)
			    && (!strchr("ab", q[-1])) || --numdots))) {
		    ++q;
		}

		memcpy(szBuffer, p, q - p);
		szBuffer[q-p] = 0;
		szResult = szBuffer;
		break;
	    }
	}
	fclose(fp);
    }







|







533
534
535
536
537
538
539
540
541
542
543
544
545
546
547

		q = p;
		while (*q && (strchr("0123456789.ab", *q)) && ((!strchr(".ab", *q)
			    && (!strchr("ab", q[-1])) || --numdots))) {
		    ++q;
		}

		memmove(szBuffer, p, q - p);
		szBuffer[q-p] = 0;
		szResult = szBuffer;
		break;
	    }
	}
	fclose(fp);
    }
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
		    while (sp && *sp) *cp++ = *sp++;
		    op += strlen(p->key);
		    while (*op) *cp++ = *op++;
		    *cp = 0;
		    memcpy(szBuffer, szCopy, sizeof(szCopy));
		}
	    }
	    printf(szBuffer);
	}

	list_free(&substPtr);
    }
    fclose(fp);
    return 0;
}







|







670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
		    while (sp && *sp) *cp++ = *sp++;
		    op += strlen(p->key);
		    while (*op) *cp++ = *op++;
		    *cp = 0;
		    memcpy(szBuffer, szCopy, sizeof(szCopy));
		}
	    }
	    printf("%s", szBuffer);
	}

	list_free(&substPtr);
    }
    fclose(fp);
    return 0;
}