Issue #21552: Fixed possible integer overflow of too long string lengths in
the Tkinter module on 64-bit platforms.
diff --git a/Modules/_tkinter.c b/Modules/_tkinter.c
index 8d52b89..808d481 100644
--- a/Modules/_tkinter.c
+++ b/Modules/_tkinter.c
@@ -1021,6 +1021,16 @@
0, /*tp_is_gc*/
};
+#if PY_SIZE_MAX > INT_MAX
+#define CHECK_STRING_LENGTH(s) do { \
+ if (s != NULL && strlen(s) >= INT_MAX) { \
+ PyErr_SetString(PyExc_OverflowError, "string is too long"); \
+ return NULL; \
+ } } while(0)
+#else
+#define CHECK_STRING_LENGTH(s)
+#endif
+
static Tcl_Obj*
AsObj(PyObject *value)
{
@@ -1486,6 +1496,7 @@
if (!PyArg_ParseTuple(args, "s:eval", &script))
return NULL;
+ CHECK_STRING_LENGTH(script);
CHECK_TCL_APPARTMENT;
ENTER_TCL
@@ -1532,6 +1543,7 @@
if (!PyArg_ParseTuple(args, "s:evalfile", &fileName))
return NULL;
+ CHECK_STRING_LENGTH(fileName);
CHECK_TCL_APPARTMENT;
ENTER_TCL
@@ -1553,9 +1565,10 @@
PyObject *res = NULL;
int err;
- if (!PyArg_ParseTuple(args, "s", &script))
+ if (!PyArg_ParseTuple(args, "s:record", &script))
return NULL;
+ CHECK_STRING_LENGTH(script);
CHECK_TCL_APPARTMENT;
ENTER_TCL
@@ -1576,6 +1589,7 @@
if (!PyArg_ParseTuple(args, "s:adderrorinfo", &msg))
return NULL;
+ CHECK_STRING_LENGTH(msg);
CHECK_TCL_APPARTMENT;
ENTER_TCL
@@ -1743,6 +1757,8 @@
if (!PyArg_ParseTuple(args, "ssO:setvar",
&name1, &name2, &newValue))
return NULL;
+ CHECK_STRING_LENGTH(name1);
+ CHECK_STRING_LENGTH(name2);
/* XXX must hold tcl lock already??? */
newval = AsObj(newValue);
ENTER_TCL
@@ -1788,6 +1804,7 @@
varname_converter, &name1, &name2))
return NULL;
+ CHECK_STRING_LENGTH(name2);
ENTER_TCL
tres = Tcl_GetVar2Ex(Tkapp_Interp(self), name1, name2, flags);
ENTER_OVERLAP
@@ -1831,6 +1848,8 @@
if (!PyArg_ParseTuple(args, "s|s:unsetvar", &name1, &name2))
return NULL;
+ CHECK_STRING_LENGTH(name1);
+ CHECK_STRING_LENGTH(name2);
ENTER_TCL
code = Tcl_UnsetVar2(Tkapp_Interp(self), name1, name2, flags);
ENTER_OVERLAP
@@ -1930,6 +1949,7 @@
if (!PyArg_ParseTuple(args, "s:exprstring", &s))
return NULL;
+ CHECK_STRING_LENGTH(s);
CHECK_TCL_APPARTMENT;
ENTER_TCL
@@ -1954,6 +1974,7 @@
if (!PyArg_ParseTuple(args, "s:exprlong", &s))
return NULL;
+ CHECK_STRING_LENGTH(s);
CHECK_TCL_APPARTMENT;
ENTER_TCL
@@ -1977,6 +1998,7 @@
if (!PyArg_ParseTuple(args, "s:exprdouble", &s))
return NULL;
+ CHECK_STRING_LENGTH(s);
CHECK_TCL_APPARTMENT;
PyFPE_START_PROTECT("Tkapp_ExprDouble", return 0)
ENTER_TCL
@@ -2001,6 +2023,7 @@
if (!PyArg_ParseTuple(args, "s:exprboolean", &s))
return NULL;
+ CHECK_STRING_LENGTH(s);
CHECK_TCL_APPARTMENT;
ENTER_TCL
retval = Tcl_ExprBoolean(Tkapp_Interp(self), s, &v);
@@ -2053,6 +2076,7 @@
if (!PyArg_ParseTuple(args, "et:splitlist", "utf-8", &list))
return NULL;
+ CHECK_STRING_LENGTH(list);
if (Tcl_SplitList(Tkapp_Interp(self), list,
&argc, &argv) == TCL_ERROR) {
PyMem_Free(list);
@@ -2114,6 +2138,7 @@
if (!PyArg_ParseTuple(args, "et:split", "utf-8", &list))
return NULL;
+ CHECK_STRING_LENGTH(list);
v = Split(list);
PyMem_Free(list);
return v;
@@ -2259,6 +2284,7 @@
if (!PyArg_ParseTuple(args, "sO:createcommand", &cmdName, &func))
return NULL;
+ CHECK_STRING_LENGTH(cmdName);
if (!PyCallable_Check(func)) {
PyErr_SetString(PyExc_TypeError, "command not callable");
return NULL;
@@ -2322,6 +2348,7 @@
if (!PyArg_ParseTuple(args, "s:deletecommand", &cmdName))
return NULL;
+ CHECK_STRING_LENGTH(cmdName);
#ifdef WITH_THREAD
if (self->threaded && self->thread_id != Tcl_GetCurrentThread()) {
@@ -3130,6 +3157,10 @@
&interactive, &wantobjects, &wantTk,
&sync, &use))
return NULL;
+ CHECK_STRING_LENGTH(screenName);
+ CHECK_STRING_LENGTH(baseName);
+ CHECK_STRING_LENGTH(className);
+ CHECK_STRING_LENGTH(use);
return (PyObject *) Tkapp_New(screenName, baseName, className,
interactive, wantobjects, wantTk,