From dfe41925f76a800c5abaaffdbe7b7676fca1430c Mon Sep 17 00:00:00 2001
From: dgp <dgp@users.sourceforge.net>
Date: Fri, 20 Mar 2009 14:43:27 +0000
Subject:         * generic/tclExecute.c (INST_CONCAT1):  Panic when appends
 overflow         the max length of a Tcl value.  [Bug 2669109]

---
 ChangeLog            |  5 +++++
 generic/tclExecute.c | 22 +++++++++++++++++-----
 2 files changed, 22 insertions(+), 5 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 014bcde..12d4812 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2009-03-20  Don Porter  <dgp@users.sourceforge.net>
+
+	* generic/tclExecute.c (INST_CONCAT1):  Panic when appends overflow
+	the max length of a Tcl value.  [Bug 2669109]
+
 2009-03-19  Miguel Sofer  <msofer@users.sf.net>
 
 	* generic/tcl.h:
diff --git a/generic/tclExecute.c b/generic/tclExecute.c
index 49862ae..5e8b1a7 100644
--- a/generic/tclExecute.c
+++ b/generic/tclExecute.c
@@ -14,7 +14,7 @@
  * See the file "license.terms" for information on usage and redistribution of
  * this file, and for a DISCLAIMER OF ALL WARRANTIES.
  *
- * RCS: @(#) $Id: tclExecute.c,v 1.429 2009/03/19 23:31:37 msofer Exp $
+ * RCS: @(#) $Id: tclExecute.c,v 1.430 2009/03/20 14:43:27 dgp Exp $
  */
 
 #include "tclInt.h"
@@ -2410,16 +2410,16 @@ TclExecuteByteCode(
 	 */
 
 	if (onlyb) {
-	    for (currPtr = &OBJ_AT_DEPTH(opnd-2); currPtr <= &OBJ_AT_TOS;
-		    currPtr++) {
+	    for (currPtr = &OBJ_AT_DEPTH(opnd-2); 
+		    appendLen >= 0 && currPtr <= &OBJ_AT_TOS; currPtr++) {
 		if ((*currPtr)->bytes != tclEmptyStringRep) {
 		    Tcl_GetByteArrayFromObj(*currPtr, &length);
 		    appendLen += length;
 		}
 	    }
 	} else {
-	    for (currPtr = &OBJ_AT_DEPTH(opnd-2); currPtr <= &OBJ_AT_TOS;
-		    currPtr++) {
+	    for (currPtr = &OBJ_AT_DEPTH(opnd-2);
+		    appendLen >= 0 && currPtr <= &OBJ_AT_TOS; currPtr++) {
 		bytes = TclGetStringFromObj(*currPtr, &length);
 		if (bytes != NULL) {
 		    appendLen += length;
@@ -2427,6 +2427,10 @@ TclExecuteByteCode(
 	    }
 	}
 
+	if (appendLen < 0) {
+	    Tcl_Panic("max size for a Tcl value (%d bytes) exceeded", INT_MAX);
+	}
+
 	/*
 	 * If nothing is to be appended, just return the first object by
 	 * dropping all the others from the stack; this saves both the
@@ -2451,6 +2455,10 @@ TclExecuteByteCode(
 	objResultPtr = OBJ_AT_DEPTH(opnd-1);
 	if (!onlyb) {
 	    bytes = TclGetStringFromObj(objResultPtr, &length);
+	    if (length + appendLen < 0) {
+		Tcl_Panic("max size for a Tcl value (%d bytes) exceeded",
+			INT_MAX);
+	    }
 #if !TCL_COMPILE_DEBUG
 	    if (bytes != tclEmptyStringRep && !Tcl_IsShared(objResultPtr)) {
 		TclFreeIntRep(objResultPtr);
@@ -2483,6 +2491,10 @@ TclExecuteByteCode(
 	    *p = '\0';
 	} else {
 	    bytes = (char *) Tcl_GetByteArrayFromObj(objResultPtr, &length);
+	    if (length + appendLen < 0) {
+		Tcl_Panic("max size for a Tcl value (%d bytes) exceeded",
+			INT_MAX);
+	    }
 #if !TCL_COMPILE_DEBUG
 	    if (!Tcl_IsShared(objResultPtr)) {
 		bytes = (char *) Tcl_SetByteArrayLength(objResultPtr,
-- 
cgit v0.12