From d9a0eba67b5c86ae91a6dfa013879646fc6d3e8f Mon Sep 17 00:00:00 2001
From: dkf <donal.k.fellows@manchester.ac.uk>
Date: Thu, 25 Aug 2005 22:27:08 +0000
Subject: Backport of fix for [Bug 1267380]

---
 ChangeLog            | 6 ++++++
 generic/tclListObj.c | 8 +++++++-
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index d311abd..5ed5e36 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2005-08-25  Donal K. Fellows  <donal.k.fellows@man.ac.uk>
+
+	* generic/tclListObj.c (UpdateStringOfList): Stop uncontrolled and
+	unsafe crashes from happening when working with very large string
+	representations. [Bug 1267380]
+
 2005-08-17  Jeff Hobbs  <jeffh@ActiveState.com>
 
 	* generic/tclFCmd.c (TclFileMakeDirsCmd): fix to race condition in
diff --git a/generic/tclListObj.c b/generic/tclListObj.c
index 446a67e..bdc2bc0 100644
--- a/generic/tclListObj.c
+++ b/generic/tclListObj.c
@@ -11,7 +11,7 @@
  * See the file "license.terms" for information on usage and redistribution
  * of this file, and for a DISCLAIMER OF ALL WARRANTIES.
  *
- * RCS: @(#) $Id: tclListObj.c,v 1.13.4.1 2004/11/11 01:18:07 das Exp $
+ * RCS: @(#) $Id: tclListObj.c,v 1.13.4.2 2005/08/25 22:27:08 dkf Exp $
  */
 
 #include "tclInt.h"
@@ -1623,6 +1623,12 @@ UpdateStringOfList(listPtr)
 	elem = Tcl_GetStringFromObj(listRepPtr->elements[i], &length);
 	listPtr->length += Tcl_ScanCountedElement(elem, length,
 		&flagPtr[i]) + 1;
+	/*
+	 * Check for continued sanity. [Bug 1267380]
+	 */
+	if (listPtr->length < 1) {
+	    Tcl_Panic("string representation size exceeds sane bounds");
+	}
     }
 
     /*
-- 
cgit v0.12