* generic/tclExecute.c (INST_CONCAT1): Panic when appends overflow

        the max length of a Tcl value.  [Bug 2669109]

1 files changed, 10 insertions, 2 deletions

diff --git a/generic/tclExecute.c b/generic/tclExecute.c
index 26cfba3..3bf099e 100644
--- a/generic/tclExecute.c
+++ b/generic/tclExecute.c
@@ -13,7 +13,7 @@
  * See the file "license.terms" for information on usage and redistribution of
  * this file, and for a DISCLAIMER OF ALL WARRANTIES.
  *
- * RCS: @(#) $Id: tclExecute.c,v 1.369.2.6 2008/12/16 22:04:00 ferrieux Exp $
+ * RCS: @(#) $Id: tclExecute.c,v 1.369.2.7 2009/03/20 14:35:06 dgp Exp $
  */
 
 #include "tclInt.h"
@@ -2112,13 +2112,18 @@ TclExecuteByteCode(
 	 * Compute the length to be appended.
 	 */
 
-	for (currPtr=&OBJ_AT_DEPTH(opnd-2); currPtr<=&OBJ_AT_TOS; currPtr++) {
+	for (currPtr=&OBJ_AT_DEPTH(opnd-2);
+		appendLen >= 0 && currPtr<=&OBJ_AT_TOS; currPtr++) {
 	    bytes = TclGetStringFromObj(*currPtr, &length);
 	    if (bytes != NULL) {
 		appendLen += length;
 	    }
 	}
 
+	if (appendLen < 0) {
+	    Tcl_Panic("max size for a Tcl value (%d bytes) exceeded", INT_MAX);
+	}
+
 	/*
 	 * If nothing is to be appended, just return the first object by
 	 * dropping all the others from the stack; this saves both the
@@ -2142,6 +2147,9 @@ TclExecuteByteCode(
 
 	objResultPtr = OBJ_AT_DEPTH(opnd-1);
 	bytes = TclGetStringFromObj(objResultPtr, &length);
+	if (length + appendLen < 0) {
+	    Tcl_Panic("max size for a Tcl value (%d bytes) exceeded", INT_MAX);
+	}
 #if !TCL_COMPILE_DEBUG
 	if (bytes != tclEmptyStringRep && !Tcl_IsShared(objResultPtr)) {
 	    TclFreeIntRep(objResultPtr);