Bug [0f98bce669]. Fix limits for string replace.

3 files changed, 9 insertions, 5 deletions

diff --git a/generic/tclCmdMZ.c b/generic/tclCmdMZ.c
index 83e5647..f94d914 100644
--- a/generic/tclCmdMZ.c
+++ b/generic/tclCmdMZ.c
@@ -2437,6 +2437,9 @@ StringRplcCmd(
 		last + 1 - first, (objc == 5) ? objv[4] : NULL,
 		TCL_STRING_IN_PLACE);
 
+	if (resultPtr == NULL) {
+	    return TCL_ERROR;
+	}
 	Tcl_SetObjResult(interp, resultPtr);
     }
     return TCL_OK;
diff --git a/generic/tclInt.h b/generic/tclInt.h
index 39ddef2..a17ce7d 100644
--- a/generic/tclInt.h
+++ b/generic/tclInt.h
@@ -105,7 +105,8 @@
 #endif
 
 /*
- * Maximum *signed* value that can be stored in a Tcl_Size type.
+ * Maximum *signed* value that can be stored in a Tcl_Size type. This is
+ * primarily used for checking overflows in dynamically allocating memory.
  */
 #define TCL_SIZE_SMAX ((((Tcl_Size) 1) << ((8*sizeof(Tcl_Size)) - 1)) - 1)
 
diff --git a/generic/tclStringObj.c b/generic/tclStringObj.c
index f8b795e..7c0d626 100644
--- a/generic/tclStringObj.c
+++ b/generic/tclStringObj.c
@@ -4100,11 +4100,11 @@ TclStringReplace(
 		return objPtr;
 	    }
 
-	    if ((size_t)newBytes > INT_MAX - (numBytes - count)) {
+	    if (newBytes > (TCL_SIZE_SMAX - (numBytes - count))) {
 		if (interp) {
 		    Tcl_SetObjResult(interp, Tcl_ObjPrintf(
-			    "max size for a Tcl value (%d bytes) exceeded",
-			    INT_MAX));
+			    "max size for a Tcl value (%" TCL_Z_MODIFIER "u bytes) exceeded",
+			    TCL_SIZE_SMAX));
 		    Tcl_SetErrorCode(interp, "TCL", "MEMORY", NULL);
 		}
 		return NULL;
@@ -4139,7 +4139,7 @@ TclStringReplace(
 	if (insertPtr) {
 	    Tcl_AppendObjToObj(result, insertPtr);
 	}
-	if (first + count < (size_t)numChars) {
+	if ((first + count) < numChars) {
 	    Tcl_AppendUnicodeToObj(result, ustring + first + count,
 		    numChars - first - count);
 	}