Better to panic sanely than to crash with a bad memory access. [Bug 1267380]

2 files changed, 11 insertions, 1 deletions

diff --git a/ChangeLog b/ChangeLog
index 6fc4686..75724ca 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,9 @@
 2005-08-25  Donal K. Fellows  <donal.k.fellows@man.ac.uk>
 
+	* generic/tclListObj.c (UpdateStringOfList): Stop uncontrolled and
+	unsafe crashes from happening when working with very large string
+	representations. [Bug 1267380]
+
 	* generic/tclExecute.c (TEBC:INST_DICT_LAPPEND): Stop dropping a
 	duplicated object on the floor, which was a memory leak (and a wrong
 	result too). Thanks to Andreas Kupries for reporting this.
diff --git a/generic/tclListObj.c b/generic/tclListObj.c
index 7aaa8e0..1279a05 100644
--- a/generic/tclListObj.c
+++ b/generic/tclListObj.c
@@ -10,7 +10,7 @@
  * See the file "license.terms" for information on usage and redistribution of
  * this file, and for a DISCLAIMER OF ALL WARRANTIES.
  *
- * RCS: @(#) $Id: tclListObj.c,v 1.24 2005/07/19 00:09:07 dkf Exp $
+ * RCS: @(#) $Id: tclListObj.c,v 1.25 2005/08/25 21:48:41 dkf Exp $
  */
 
 #include "tclInt.h"
@@ -1613,6 +1613,12 @@ UpdateStringOfList(listPtr)
 	elem = Tcl_GetStringFromObj(elemPtrs[i], &length);
 	listPtr->length += Tcl_ScanCountedElement(elem, length,
 		&flagPtr[i]) + 1;
+	/*
+	 * Check for continued sanity. [Bug 1267380]
+	 */
+	if (listPtr->length < 1) {
+	    Tcl_Panic("string representation size exceeds sane bounds");
+	}
     }
 
     /*