diff options
| author | dgp <dgp@users.sourceforge.net> | 2018-11-09 16:03:22 (GMT) |
|---|---|---|
| committer | dgp <dgp@users.sourceforge.net> | 2018-11-09 16:03:22 (GMT) |
| commit | d594b7a08e5e0c42372c17f040fe2486ab63df78 (patch) | |
| tree | a06be82e0f814165c21ee6cae49f3d72ed9855ef /generic/tclListObj.c | |
| parent | eed41bb2f617a77762624aa7755f01310f7435e3 (diff) | |
| parent | 473777408d5afbf3d2d98cbb7e436b57b1f72e29 (diff) | |
| download | tcl-d594b7a08e5e0c42372c17f040fe2486ab63df78.zip tcl-d594b7a08e5e0c42372c17f040fe2486ab63df78.tar.gz tcl-d594b7a08e5e0c42372c17f040fe2486ab63df78.tar.bz2 | |
merge 8.5
Diffstat (limited to 'generic/tclListObj.c')
| -rw-r--r-- | generic/tclListObj.c | 19 |
1 files changed, 18 insertions, 1 deletions
diff --git a/generic/tclListObj.c b/generic/tclListObj.c index 786e1ce..e42567e 100644 --- a/generic/tclListObj.c +++ b/generic/tclListObj.c @@ -1990,7 +1990,21 @@ UpdateStringOfList( * Pass 2: copy into string rep buffer. */ + /* + * We used to set the string length here, relying on a presumed + * guarantee that the number of bytes TclScanElement() calls reported + * to be needed was a precise count and not an over-estimate, so long + * as the same flag values were passed to TclConvertElement(). + * + * Then we saw [35a8f1c04a], where a bug in TclScanElement() caused + * that guarantee to fail. Rather than trust there are no more bugs, + * we set the length after the loop based on what was actually written, + * an not on what was predicted. + * listPtr->length = bytesNeeded - 1; + * + */ + listPtr->bytes = ckalloc(bytesNeeded); dst = listPtr->bytes; for (i = 0; i < numElems; i++) { @@ -1999,7 +2013,10 @@ UpdateStringOfList( dst += TclConvertElement(elem, length, dst, flagPtr[i]); *dst++ = ' '; } - listPtr->bytes[listPtr->length] = '\0'; + dst[-1] = '\0'; + + /* Here is the safe setting of the string length. */ + listPtr->length = dst - 1 - listPtr->bytes; if (flagPtr != localFlags) { ckfree(flagPtr); |