From 36ea3f27001c99cbc7cb3cae6894efaffe7fb512 Mon Sep 17 00:00:00 2001
From: dkf <donal.k.fellows@manchester.ac.uk>
Date: Tue, 30 Oct 2007 10:27:33 +0000
Subject: Backport of fix for first part of [Bug 1810264]

---
 ChangeLog          | 5 +++++
 generic/regc_lex.c | 2 +-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index 5d44f33..117f812 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2007-10-30  Donal K. Fellows  <donal.k.fellows@man.ac.uk>
+
+	* generic/regc_lex.c (lexescape): Ensure that backreference numbers
+	can't overflow a signed int in a way that breaks things. [Bug 1810264]
+
 2007-10-15  Miguel Sofer  <msofer@users.sf.net>
 
 	* generic/tclParse.c (Tcl_ParseBraces): fix for possible read
diff --git a/generic/regc_lex.c b/generic/regc_lex.c
index 1acc3f4..588718d 100644
--- a/generic/regc_lex.c
+++ b/generic/regc_lex.c
@@ -783,7 +783,7 @@ struct vars *v;
 		if (ISERR())
 			FAILW(REG_EESCAPE);
 		/* ugly heuristic (first test is "exactly 1 digit?") */
-		if (v->now - save == 0 || (int)c <= v->nsubexp) {
+		if (v->now-save == 0 || ((int)c > 0 && (int)c <= v->nsubexp)) {
 			NOTE(REG_UBACKREF);
 			RETV(BACKREF, (chr)c);
 		}
-- 
cgit v0.12