From dd8e1bd7964abd576b6ae32c876f793ae4bbaf9b Mon Sep 17 00:00:00 2001
From: andreas_kupries <akupries@shaw.ca>
Date: Mon, 18 Jan 2010 22:19:11 +0000
Subject: 	* generic/tclIO.c (CreateScriptRecord): [Bug 2918110]:
 Initialize 	the EventScriptRecord (esPtr) fully before handing it to 
 Tcl_CreateChannelHandler for registration. Otherwise a reflected 
 channel calling 'chan postevent' (== Tcl_NotifyChannel) in its 
 'watchProc' will cause the function 'TclChannelEventScriptInvoker' 	to be
 run on an uninitialized structure.

---
 ChangeLog       |  9 +++++++++
 generic/tclIO.c | 29 +++++++++++++++++++++++------
 2 files changed, 32 insertions(+), 6 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 6f1e8db..ba8850b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,12 @@
+2010-01-18  Andreas Kupries  <andreask@activestate.com>
+
+	* generic/tclIO.c (CreateScriptRecord): [Bug 2918110]: Initialize
+	the EventScriptRecord (esPtr) fully before handing it to
+	Tcl_CreateChannelHandler for registration. Otherwise a reflected
+	channel calling 'chan postevent' (== Tcl_NotifyChannel) in its
+	'watchProc' will cause the function 'TclChannelEventScriptInvoker'
+	to be run on an uninitialized structure.
+
 2010-01-18  Donal K. Fellows  <dkf@users.sf.net>
 
 	* generic/tclStringObj.c (Tcl_AppendFormatToObj): [Bug 2932421]: Stop
diff --git a/generic/tclIO.c b/generic/tclIO.c
index 3f7724b..115bf9a 100644
--- a/generic/tclIO.c
+++ b/generic/tclIO.c
@@ -10,7 +10,7 @@
  * See the file "license.terms" for information on usage and redistribution of
  * this file, and for a DISCLAIMER OF ALL WARRANTIES.
  *
- * RCS: @(#) $Id: tclIO.c,v 1.170 2009/12/09 23:26:53 andreas_kupries Exp $
+ * RCS: @(#) $Id: tclIO.c,v 1.171 2010/01/18 22:19:11 andreas_kupries Exp $
  */
 
 #include "tclInt.h"
@@ -8677,6 +8677,7 @@ CreateScriptRecord(
     ChannelState *statePtr = chanPtr->state;
 				/* State info for channel */
     EventScriptRecord *esPtr;
+    int makeCH;
 
     for (esPtr=statePtr->scriptRecordPtr; esPtr!=NULL; esPtr=esPtr->nextPtr) {
 	if ((esPtr->interp == interp) && (esPtr->mask == mask)) {
@@ -8685,18 +8686,34 @@ CreateScriptRecord(
 	    break;
 	}
     }
-    if (esPtr == NULL) {
+
+    makeCH = (esPtr == NULL);
+
+    if (makeCH) {
 	esPtr = (EventScriptRecord *) ckalloc(sizeof(EventScriptRecord));
-	Tcl_CreateChannelHandler((Tcl_Channel) chanPtr, mask,
-		TclChannelEventScriptInvoker, esPtr);
-	esPtr->nextPtr = statePtr->scriptRecordPtr;
-	statePtr->scriptRecordPtr = esPtr;
     }
+
+    /*
+     * Initialize the structure before calling Tcl_CreateChannelHandler,
+     * because a reflected channel caling 'chan postevent' aka
+     * 'Tcl_NotifyChannel' in its 'watch'Proc will invoke
+     * 'TclChannelEventScriptInvoker' immediately, and we do not wish it to
+     * see uninitialized memory and crash. See [Bug 2918110].
+     */
+
     esPtr->chanPtr = chanPtr;
     esPtr->interp = interp;
     esPtr->mask = mask;
     Tcl_IncrRefCount(scriptPtr);
     esPtr->scriptPtr = scriptPtr;
+
+    if (makeCH) {
+	esPtr->nextPtr = statePtr->scriptRecordPtr;
+	statePtr->scriptRecordPtr = esPtr;
+
+	Tcl_CreateChannelHandler((Tcl_Channel) chanPtr, mask,
+		TclChannelEventScriptInvoker, esPtr);
+    }
 }
 
 /*
-- 
cgit v0.12