Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 1753d22

Browse files
serhiy-storchakaserhiy-storchaka
committed
Issue #21552: Fixed possible integer overflow of too long string lengths in
the tkinter module on 64-bit platforms.
2 parents 88c56cb + 79851d7 commit 1753d22

3 files changed

Lines changed: 64 additions & 2 deletions

File tree

Lib/test/test_tcl.py

Lines changed: 26 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -565,10 +565,35 @@ def setUp(self):
565565
@support.cpython_only
566566
@unittest.skipUnless(INT_MAX < PY_SSIZE_T_MAX, "needs UINT_MAX < SIZE_MAX")
567567
@support.bigmemtest(size=INT_MAX + 1, memuse=5, dry_run=False)
568-
def test_huge_string(self, size):
568+
def test_huge_string_call(self, size):
569569
value = ' ' * size
570570
self.assertRaises(OverflowError, self.interp.call, 'set', '_', value)
571571

572+
@support.cpython_only
573+
@unittest.skipUnless(INT_MAX < PY_SSIZE_T_MAX, "needs UINT_MAX < SIZE_MAX")
574+
@support.bigmemtest(size=INT_MAX + 1, memuse=9, dry_run=False)
575+
def test_huge_string_builtins(self, size):
576+
value = '1' + ' ' * size
577+
self.assertRaises(OverflowError, self.interp.getint, value)
578+
self.assertRaises(OverflowError, self.interp.getdouble, value)
579+
self.assertRaises(OverflowError, self.interp.getboolean, value)
580+
self.assertRaises(OverflowError, self.interp.eval, value)
581+
self.assertRaises(OverflowError, self.interp.evalfile, value)
582+
self.assertRaises(OverflowError, self.interp.record, value)
583+
self.assertRaises(OverflowError, self.interp.adderrorinfo, value)
584+
self.assertRaises(OverflowError, self.interp.setvar, value, 'x', 'a')
585+
self.assertRaises(OverflowError, self.interp.setvar, 'x', value, 'a')
586+
self.assertRaises(OverflowError, self.interp.unsetvar, value)
587+
self.assertRaises(OverflowError, self.interp.unsetvar, 'x', value)
588+
self.assertRaises(OverflowError, self.interp.adderrorinfo, value)
589+
self.assertRaises(OverflowError, self.interp.exprstring, value)
590+
self.assertRaises(OverflowError, self.interp.exprlong, value)
591+
self.assertRaises(OverflowError, self.interp.exprboolean, value)
592+
self.assertRaises(OverflowError, self.interp.splitlist, value)
593+
self.assertRaises(OverflowError, self.interp.split, value)
594+
self.assertRaises(OverflowError, self.interp.createcommand, value, max)
595+
self.assertRaises(OverflowError, self.interp.deletecommand, value)
596+
572597

573598
def setUpModule():
574599
if support.verbose:

Misc/NEWS

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -89,6 +89,9 @@ Core and Builtins
8989
Library
9090
-------
9191

92+
- Issue #21552: Fixed possible integer overflow of too long string lengths in
93+
the tkinter module on 64-bit platforms.
94+
9295
- Issue #14315: The zipfile module now ignores extra fields in the central
9396
directory that are too short to be parsed instead of letting a struct.unpack
9497
error bubble up as this "bad data" appears in many real world zip files in

Modules/_tkinter.c

Lines changed: 35 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -881,6 +881,16 @@ static PyType_Spec PyTclObject_Type_spec = {
881881
};
882882

883883

884+
#if PY_SIZE_MAX > INT_MAX
885+
#define CHECK_STRING_LENGTH(s) do { \
886+
if (s != NULL && strlen(s) >= INT_MAX) { \
887+
PyErr_SetString(PyExc_OverflowError, "string is too long"); \
888+
return NULL; \
889+
} } while(0)
890+
#else
891+
#define CHECK_STRING_LENGTH(s)
892+
#endif
893+
884894
static Tcl_Obj*
885895
AsObj(PyObject *value)
886896
{
@@ -1303,6 +1313,7 @@ Tkapp_Eval(PyObject *self, PyObject *args)
13031313
if (!PyArg_ParseTuple(args, "s:eval", &script))
13041314
return NULL;
13051315

1316+
CHECK_STRING_LENGTH(script);
13061317
CHECK_TCL_APPARTMENT;
13071318

13081319
ENTER_TCL
@@ -1326,6 +1337,7 @@ Tkapp_EvalFile(PyObject *self, PyObject *args)
13261337
if (!PyArg_ParseTuple(args, "s:evalfile", &fileName))
13271338
return NULL;
13281339

1340+
CHECK_STRING_LENGTH(fileName);
13291341
CHECK_TCL_APPARTMENT;
13301342

13311343
ENTER_TCL
@@ -1346,9 +1358,10 @@ Tkapp_Record(PyObject *self, PyObject *args)
13461358
PyObject *res = NULL;
13471359
int err;
13481360

1349-
if (!PyArg_ParseTuple(args, "s", &script))
1361+
if (!PyArg_ParseTuple(args, "s:record", &script))
13501362
return NULL;
13511363

1364+
CHECK_STRING_LENGTH(script);
13521365
CHECK_TCL_APPARTMENT;
13531366

13541367
ENTER_TCL
@@ -1369,6 +1382,7 @@ Tkapp_AddErrorInfo(PyObject *self, PyObject *args)
13691382

13701383
if (!PyArg_ParseTuple(args, "s:adderrorinfo", &msg))
13711384
return NULL;
1385+
CHECK_STRING_LENGTH(msg);
13721386
CHECK_TCL_APPARTMENT;
13731387

13741388
ENTER_TCL
@@ -1552,6 +1566,8 @@ SetVar(PyObject *self, PyObject *args, int flags)
15521566
if (!PyArg_ParseTuple(args, "ssO:setvar",
15531567
&name1, &name2, &newValue))
15541568
return NULL;
1569+
CHECK_STRING_LENGTH(name1);
1570+
CHECK_STRING_LENGTH(name2);
15551571
/* XXX must hold tcl lock already??? */
15561572
newval = AsObj(newValue);
15571573
ENTER_TCL
@@ -1597,6 +1613,7 @@ GetVar(PyObject *self, PyObject *args, int flags)
15971613
varname_converter, &name1, &name2))
15981614
return NULL;
15991615

1616+
CHECK_STRING_LENGTH(name2);
16001617
ENTER_TCL
16011618
tres = Tcl_GetVar2Ex(Tkapp_Interp(self), name1, name2, flags);
16021619
ENTER_OVERLAP
@@ -1639,6 +1656,8 @@ UnsetVar(PyObject *self, PyObject *args, int flags)
16391656
if (!PyArg_ParseTuple(args, "s|s:unsetvar", &name1, &name2))
16401657
return NULL;
16411658

1659+
CHECK_STRING_LENGTH(name1);
1660+
CHECK_STRING_LENGTH(name2);
16421661
ENTER_TCL
16431662
code = Tcl_UnsetVar2(Tkapp_Interp(self), name1, name2, flags);
16441663
ENTER_OVERLAP
@@ -1684,6 +1703,7 @@ Tkapp_GetInt(PyObject *self, PyObject *args)
16841703
}
16851704
if (!PyArg_ParseTuple(args, "s:getint", &s))
16861705
return NULL;
1706+
CHECK_STRING_LENGTH(s);
16871707
if (Tcl_GetInt(Tkapp_Interp(self), s, &v) == TCL_ERROR)
16881708
return Tkinter_Error(self);
16891709
return Py_BuildValue("i", v);
@@ -1704,6 +1724,7 @@ Tkapp_GetDouble(PyObject *self, PyObject *args)
17041724
}
17051725
if (!PyArg_ParseTuple(args, "s:getdouble", &s))
17061726
return NULL;
1727+
CHECK_STRING_LENGTH(s);
17071728
if (Tcl_GetDouble(Tkapp_Interp(self), s, &v) == TCL_ERROR)
17081729
return Tkinter_Error(self);
17091730
return Py_BuildValue("d", v);
@@ -1724,6 +1745,7 @@ Tkapp_GetBoolean(PyObject *self, PyObject *args)
17241745
}
17251746
if (!PyArg_ParseTuple(args, "s:getboolean", &s))
17261747
return NULL;
1748+
CHECK_STRING_LENGTH(s);
17271749
if (Tcl_GetBoolean(Tkapp_Interp(self), s, &v) == TCL_ERROR)
17281750
return Tkinter_Error(self);
17291751
return PyBool_FromLong(v);
@@ -1739,6 +1761,7 @@ Tkapp_ExprString(PyObject *self, PyObject *args)
17391761
if (!PyArg_ParseTuple(args, "s:exprstring", &s))
17401762
return NULL;
17411763

1764+
CHECK_STRING_LENGTH(s);
17421765
CHECK_TCL_APPARTMENT;
17431766

17441767
ENTER_TCL
@@ -1763,6 +1786,7 @@ Tkapp_ExprLong(PyObject *self, PyObject *args)
17631786
if (!PyArg_ParseTuple(args, "s:exprlong", &s))
17641787
return NULL;
17651788

1789+
CHECK_STRING_LENGTH(s);
17661790
CHECK_TCL_APPARTMENT;
17671791

17681792
ENTER_TCL
@@ -1786,6 +1810,7 @@ Tkapp_ExprDouble(PyObject *self, PyObject *args)
17861810

17871811
if (!PyArg_ParseTuple(args, "s:exprdouble", &s))
17881812
return NULL;
1813+
CHECK_STRING_LENGTH(s);
17891814
CHECK_TCL_APPARTMENT;
17901815
PyFPE_START_PROTECT("Tkapp_ExprDouble", return 0)
17911816
ENTER_TCL
@@ -1810,6 +1835,7 @@ Tkapp_ExprBoolean(PyObject *self, PyObject *args)
18101835

18111836
if (!PyArg_ParseTuple(args, "s:exprboolean", &s))
18121837
return NULL;
1838+
CHECK_STRING_LENGTH(s);
18131839
CHECK_TCL_APPARTMENT;
18141840
ENTER_TCL
18151841
retval = Tcl_ExprBoolean(Tkapp_Interp(self), s, &v);
@@ -1865,6 +1891,7 @@ Tkapp_SplitList(PyObject *self, PyObject *args)
18651891
if (!PyArg_ParseTuple(args, "et:splitlist", "utf-8", &list))
18661892
return NULL;
18671893

1894+
CHECK_STRING_LENGTH(list);
18681895
if (Tcl_SplitList(Tkapp_Interp(self), list,
18691896
&argc, &argv) == TCL_ERROR) {
18701897
PyMem_Free(list);
@@ -1926,6 +1953,7 @@ Tkapp_Split(PyObject *self, PyObject *args)
19261953

19271954
if (!PyArg_ParseTuple(args, "et:split", "utf-8", &list))
19281955
return NULL;
1956+
CHECK_STRING_LENGTH(list);
19291957
v = Split(list);
19301958
PyMem_Free(list);
19311959
return v;
@@ -2057,6 +2085,7 @@ Tkapp_CreateCommand(PyObject *selfptr, PyObject *args)
20572085

20582086
if (!PyArg_ParseTuple(args, "sO:createcommand", &cmdName, &func))
20592087
return NULL;
2088+
CHECK_STRING_LENGTH(cmdName);
20602089
if (!PyCallable_Check(func)) {
20612090
PyErr_SetString(PyExc_TypeError, "command not callable");
20622091
return NULL;
@@ -2118,6 +2147,7 @@ Tkapp_DeleteCommand(PyObject *selfptr, PyObject *args)
21182147

21192148
if (!PyArg_ParseTuple(args, "s:deletecommand", &cmdName))
21202149
return NULL;
2150+
CHECK_STRING_LENGTH(cmdName);
21212151

21222152
#ifdef WITH_THREAD
21232153
if (self->threaded && self->thread_id != Tcl_GetCurrentThread()) {
@@ -2789,6 +2819,10 @@ Tkinter_Create(PyObject *self, PyObject *args)
27892819
&interactive, &wantobjects, &wantTk,
27902820
&sync, &use))
27912821
return NULL;
2822+
CHECK_STRING_LENGTH(screenName);
2823+
CHECK_STRING_LENGTH(baseName);
2824+
CHECK_STRING_LENGTH(className);
2825+
CHECK_STRING_LENGTH(use);
27922826

27932827
return (PyObject *) Tkapp_New(screenName, className,
27942828
interactive, wantobjects, wantTk,

0 commit comments

Comments
 (0)