* generic/tclExecute.c (INST_CONCAT1): Panic when appends overflow

        the max length of a Tcl value.  [Bug 2669109]

2 files changed, 13 insertions, 2 deletions

diff --git a/ChangeLog b/ChangeLog
index ce814b6..5fd15a7 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2009-03-20  Don Porter  <dgp@users.sourceforge.net>
+
+	* generic/tclExecute.c (INST_CONCAT1):	Panic when appends overflow
+	the max length of a Tcl value.  [Bug 2669109]
+
 2009-03-18  Don Porter  <dgp@users.sourceforge.net>
 
 	* win/tclWinFile.c (TclpObjNormalizePath):      Corrected Tcl_Obj leak.
diff --git a/generic/tclExecute.c b/generic/tclExecute.c
index 657ac80..065024c 100644
--- a/generic/tclExecute.c
+++ b/generic/tclExecute.c
@@ -11,7 +11,7 @@
  * See the file "license.terms" for information on usage and redistribution
  * of this file, and for a DISCLAIMER OF ALL WARRANTIES.
  *
- * RCS: @(#) $Id: tclExecute.c,v 1.94.2.27 2008/07/23 04:08:00 dgp Exp $
+ * RCS: @(#) $Id: tclExecute.c,v 1.94.2.28 2009/03/20 14:22:54 dgp Exp $
  */
 
 #include "tclInt.h"
@@ -1442,13 +1442,19 @@ TclExecuteByteCode(interp, codePtr)
 	     * First, determine how many characters are needed.
 	     */
 
-	    for (i = (stackTop - (opnd-1));  i <= stackTop;  i++) {
+	    for (i = (stackTop - (opnd-1));
+		    totalLen >= 0 && i <= stackTop; i++) {
 		bytes = Tcl_GetStringFromObj(stackPtr[i], &length);
 		if (bytes != NULL) {
 		    totalLen += length;
 		}
 	    }
 
+	    if (totalLen < 0) {
+		Tcl_Panic("max size for a Tcl value (%d bytes) exceeded",
+			INT_MAX);
+	    }
+
 	    /*
 	     * Initialize the new append string object by appending the
 	     * strings of the opnd stack objects. Also pop the objects.