From ae500c24671537445c8f784f45e71f05c5b95bf6 Mon Sep 17 00:00:00 2001
From: dgp <dgp@users.sourceforge.net>
Date: Fri, 20 Mar 2009 14:35:05 +0000
Subject:         * generic/tclExecute.c (INST_CONCAT1):  Panic when appends
 overflow         the max length of a Tcl value.  [Bug 2669109]

---
 ChangeLog            |  5 +++++
 generic/tclExecute.c | 12 ++++++++++--
 2 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 31d8032..9b7f01b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2009-03-20  Don Porter  <dgp@users.sourceforge.net>
+
+	* generic/tclExecute.c (INST_CONCAT1):  Panic when appends overflow
+	the max length of a Tcl value.  [Bug 2669109]
+
 2009-03-18  Don Porter  <dgp@users.sourceforge.net>
 
 	* win/tclWinFile.c (TclpObjNormalizePath):      Corrected Tcl_Obj leak.
diff --git a/generic/tclExecute.c b/generic/tclExecute.c
index 26cfba3..3bf099e 100644
--- a/generic/tclExecute.c
+++ b/generic/tclExecute.c
@@ -13,7 +13,7 @@
  * See the file "license.terms" for information on usage and redistribution of
  * this file, and for a DISCLAIMER OF ALL WARRANTIES.
  *
- * RCS: @(#) $Id: tclExecute.c,v 1.369.2.6 2008/12/16 22:04:00 ferrieux Exp $
+ * RCS: @(#) $Id: tclExecute.c,v 1.369.2.7 2009/03/20 14:35:06 dgp Exp $
  */
 
 #include "tclInt.h"
@@ -2112,13 +2112,18 @@ TclExecuteByteCode(
 	 * Compute the length to be appended.
 	 */
 
-	for (currPtr=&OBJ_AT_DEPTH(opnd-2); currPtr<=&OBJ_AT_TOS; currPtr++) {
+	for (currPtr=&OBJ_AT_DEPTH(opnd-2);
+		appendLen >= 0 && currPtr<=&OBJ_AT_TOS; currPtr++) {
 	    bytes = TclGetStringFromObj(*currPtr, &length);
 	    if (bytes != NULL) {
 		appendLen += length;
 	    }
 	}
 
+	if (appendLen < 0) {
+	    Tcl_Panic("max size for a Tcl value (%d bytes) exceeded", INT_MAX);
+	}
+
 	/*
 	 * If nothing is to be appended, just return the first object by
 	 * dropping all the others from the stack; this saves both the
@@ -2142,6 +2147,9 @@ TclExecuteByteCode(
 
 	objResultPtr = OBJ_AT_DEPTH(opnd-1);
 	bytes = TclGetStringFromObj(objResultPtr, &length);
+	if (length + appendLen < 0) {
+	    Tcl_Panic("max size for a Tcl value (%d bytes) exceeded", INT_MAX);
+	}
 #if !TCL_COMPILE_DEBUG
 	if (bytes != tclEmptyStringRep && !Tcl_IsShared(objResultPtr)) {
 	    TclFreeIntRep(objResultPtr);
-- 
cgit v0.12