summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorjan.nijtmans <nijtmans@users.sourceforge.net>2012-12-27 15:04:11 (GMT)
committerjan.nijtmans <nijtmans@users.sourceforge.net>2012-12-27 15:04:11 (GMT)
commit3179079214bd7ec9eecf26f71b91ea8d5c7308d1 (patch)
treef4ed0cc041f03fed34a2c8d4a5d5e5d78d461095
parent4abde457b0e71977a198245a76cc4bd3fd9801ca (diff)
parent74ba8ceda7f5765eb6d06f6bac99f565b9a71154 (diff)
downloadtcl-3179079214bd7ec9eecf26f71b91ea8d5c7308d1.zip
tcl-3179079214bd7ec9eecf26f71b91ea8d5c7308d1.tar.gz
tcl-3179079214bd7ec9eecf26f71b91ea8d5c7308d1.tar.bz2
[Bug 3598580]: Tcl_ListObjReplace may release deleted elements too early
-rw-r--r--ChangeLog5
-rw-r--r--generic/tclListObj.c9
2 files changed, 10 insertions, 4 deletions
diff --git a/ChangeLog b/ChangeLog
index 49da827..43b6dfa 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2012-12-27 Jan Nijtmans <nijtmans@users.sf.net>
+
+ * generic/tclListObj.c: [Bug 3598580]: Tcl_ListObjReplace may release
+ deleted elements too early
+
2012-12-22 Alexandre Ferrieux <ferrieux@users.sourceforge.net>
* generic/tclUtil.c: Stop leaking allocated space when objifying a
diff --git a/generic/tclListObj.c b/generic/tclListObj.c
index 3668b45..53c3f66 100644
--- a/generic/tclListObj.c
+++ b/generic/tclListObj.c
@@ -909,6 +909,10 @@ Tcl_ListObjReplace(
isShared = (listRepPtr->refCount > 1);
numRequired = numElems - count + objc;
+ for (i = 0; i < objc; i++) {
+ Tcl_IncrRefCount(objv[i]);
+ }
+
if ((numRequired <= listRepPtr->maxElemCount) && !isShared) {
int shift;
@@ -1027,14 +1031,11 @@ Tcl_ListObjReplace(
}
/*
- * Insert the new elements into elemPtrs before "first". We don't do a
- * memcpy here because we must increment the reference counts for the
- * added elements, so we must explicitly loop anyway.
+ * Insert the new elements into elemPtrs before "first".
*/
for (i=0,j=first ; i<objc ; i++,j++) {
elemPtrs[j] = objv[i];
- Tcl_IncrRefCount(objv[i]);
}
/*