2 files changed, 21 insertions, 0 deletions

diff --git a/generic/tclUtil.c b/generic/tclUtil.c
index 07b497b..d883729 100644
--- a/generic/tclUtil.c
+++ b/generic/tclUtil.c
@@ -2808,6 +2808,9 @@ Tcl_DStringSetLength(
 {
     Tcl_Size newsize;
 
+    if (length < 0) {
+	length = 0;
+    }
     if (length >= dsPtr->spaceAvl) {
 	/*
 	 * There are two interesting cases here. In the first case, the user
diff --git a/tests/dstring.test b/tests/dstring.test
index 23863d0..7c9d9f6 100644
--- a/tests/dstring.test
+++ b/tests/dstring.test
@@ -418,6 +418,24 @@ test dstring-4.2 {truncation} -constraints testdstring -setup {
 } -cleanup {
     testdstring free
 } -result {{} 0}
+test dstring-4.3 {truncation} -constraints testdstring -setup {
+    testdstring free
+} -body {
+    testdstring append "xwvut" -1
+    # Pass a negative length to Tcl_DStringSetLength();
+    # if not caught, causing '\0' to be written out-of-bounds,
+    # try corrupting dsPtr->length which begins
+    # 2*sizeof(Tcl_Size) bytes before dsPtr->staticSpace[],
+    # so that the result is -256 (on little endian systems)
+    # rather than e.g. -8 or -16.
+    # (sizeof(Tcl_Size) does not seem to be available via Tcl,
+    # so assume sizeof(Tcl_Size) == sizeof(void*) for Tcl 9.)
+    testdstring trunc [expr {-2*([package vsatisfies $tcl_version 9.0-]
+	? $tcl_platform(pointerSize) : 4)}]
+    list [testdstring get] [testdstring length]
+} -cleanup {
+    testdstring free
+} -result {{} 0}
 
 test dstring-5.1 {copying to result} -constraints testdstring -setup {
     testdstring free