From c839e018aafb94be00950841cdd249804cb02305 Mon Sep 17 00:00:00 2001
From: dgp <dgp@users.sourceforge.net>
Date: Mon, 29 Mar 2010 21:57:33 +0000
Subject:         * generic/tclStringObj.c:       Fix array overrun in test
 format-1.12         caught by valgrind testing.

---
 ChangeLog              | 5 +++++
 generic/tclStringObj.c | 4 ++--
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 6d5253f..25c962a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2010-03-29  Don Porter  <dgp@users.sourceforge.net>
+
+	* generic/tclStringObj.c:	Fix array overrun in test format-1.12
+	caught by valgrind testing.
+
 2010-03-25  Donal K. Fellows  <dkf@users.sf.net>
 
 	* unix/tclUnixFCmd.c (TclUnixCopyFile): [Bug 2976504]: Corrected
diff --git a/generic/tclStringObj.c b/generic/tclStringObj.c
index ffa51f8..ab6a600 100644
--- a/generic/tclStringObj.c
+++ b/generic/tclStringObj.c
@@ -33,7 +33,7 @@
  * See the file "license.terms" for information on usage and redistribution of
  * this file, and for a DISCLAIMER OF ALL WARRANTIES.
  *
- * RCS: @(#) $Id: tclStringObj.c,v 1.70.2.19 2010/01/18 09:50:57 dkf Exp $ */
+ * RCS: @(#) $Id: tclStringObj.c,v 1.70.2.20 2010/03/29 21:57:33 dgp Exp $ */
 
 #include "tclInt.h"
 #include "tommath.h"
@@ -2275,7 +2275,7 @@ Tcl_AppendFormatToObj(
 		    int digitOffset;
 
 		    if (useBig && big.used) {
-			if ((size_t) shift <
+			if (index < big.used && (size_t) shift <
 				CHAR_BIT*sizeof(Tcl_WideUInt) - DIGIT_BIT) {
 			    bits |= (((Tcl_WideUInt)big.dp[index++]) <<shift);
 			    shift += DIGIT_BIT;
-- 
cgit v0.12