From 868168e18953894ec72ea898ff4d2f518283184e Mon Sep 17 00:00:00 2001
From: dgp <dgp@users.sourceforge.net>
Date: Thu, 19 Jan 2012 20:46:04 +0000
Subject: 3475667 Prevent buffer read overflow. Thanks to "sebres" for the
 report and fix.

---
 ChangeLog          | 7 ++++++-
 generic/tclCmdMZ.c | 2 +-
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 6340499..2c6e34a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,4 +1,9 @@
-2011-01-17  Don Porter  <dgp@users.sourceforge.net>
+2012-01-19  Don Porter  <dgp@users.sourceforge.net>
+
+	* generic/tclCmdMZ.c:	[Bug 3475667] Prevent buffer read overflow.
+	Thanks to "sebres" for the report and fix.
+
+2012-01-17  Don Porter  <dgp@users.sourceforge.net>
 
 	* library/http/http.tcl:	Bump to 2.5.6.
 	* library/http/pkgIndex.tcl:
diff --git a/generic/tclCmdMZ.c b/generic/tclCmdMZ.c
index ccf3bc6..27e4055 100644
--- a/generic/tclCmdMZ.c
+++ b/generic/tclCmdMZ.c
@@ -378,7 +378,7 @@ Tcl_RegexpObjCmd(dummy, interp, objc, objv)
     while (1) {
 	match = Tcl_RegExpExecObj(interp, regExpr, objPtr,
 		offset /* offset */, numMatchesSaved, eflags 
-		| ((offset > 0 &&
+		| ((offset > 0 && offset < stringLength &&
 		   (Tcl_GetUniChar(objPtr,offset-1) != (Tcl_UniChar)'\n'))
 		   ? TCL_REG_NOTBOL : 0));
 
-- 
cgit v0.12