From 96585a0ae4cf7d41417955b92a4491510101b38e Mon Sep 17 00:00:00 2001
From: dgp <dgp@users.sourceforge.net>
Date: Wed, 29 Jul 2015 03:06:30 +0000
Subject: [3e7eca8c8c] Prevent overflow in the size value passed to
 ckrealloc().

---
 generic/tclCompExpr.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/generic/tclCompExpr.c b/generic/tclCompExpr.c
index 23dc0a4..abb917f 100644
--- a/generic/tclCompExpr.c
+++ b/generic/tclCompExpr.c
@@ -659,11 +659,13 @@ ParseExpr(
 
 	if (nodesUsed >= nodesAvailable) {
 	    int size = nodesUsed * 2;
-	    OpNode *newPtr;
+	    OpNode *newPtr = NULL;
 
 	    do {
+	      if (size <= UINT_MAX/sizeof(OpNode)) {
 		newPtr = (OpNode *) attemptckrealloc((char *) nodes,
 			(unsigned int) size * sizeof(OpNode));
+	      }
 	    } while ((newPtr == NULL)
 		    && ((size -= (size - nodesUsed) / 2) > nodesUsed));
 	    if (newPtr == NULL) {
-- 
cgit v0.12