From dfbac0054227702fab645e6c03d08c35a8dd9b7c Mon Sep 17 00:00:00 2001
From: dgp <dgp@users.sourceforge.net>
Date: Fri, 20 Nov 2015 16:58:11 +0000
Subject: [3293874] Simplified fix (not backport). Also detect >LIST_MAX early.

---
 generic/tclListObj.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/generic/tclListObj.c b/generic/tclListObj.c
index 289cf2d..c4b5cfc 100644
--- a/generic/tclListObj.c
+++ b/generic/tclListObj.c
@@ -854,8 +854,13 @@ Tcl_ListObjReplace(
 	count = numElems - first;
     }
 
+    if (objc > LIST_MAX - (numElems - count)) {
+	Tcl_SetObjResult(interp, Tcl_ObjPrintf(
+		"max length of a Tcl list (%d elements) exceeded", LIST_MAX));
+	return TCL_ERROR;
+    }
     isShared = (listRepPtr->refCount > 1);
-    numRequired = numElems - count + objc;
+    numRequired = numElems - count + objc; /* Known <= LIST_MAX */
 
     for (i = 0;  i < objc;  i++) {
 	Tcl_IncrRefCount(objv[i]);
@@ -906,6 +911,8 @@ Tcl_ListObjReplace(
 
 	listRepPtr = AttemptNewList(interp, newMax, NULL);
 	if (listRepPtr == NULL) {
+	listRepPtr = AttemptNewList(interp, numRequired, NULL);
+	if (listRepPtr == NULL) {
 	    for (i = 0;  i < objc;  i++) {
 		/* See bug 3598580 */
 #if TCL_MAJOR_VERSION > 8
@@ -916,6 +923,7 @@ Tcl_ListObjReplace(
 	    }
 	    return TCL_ERROR;
 	}
+	}
 
 	listPtr->internalRep.twoPtrValue.ptr1 = (void *) listRepPtr;
 	listRepPtr->refCount++;
-- 
cgit v0.12