From 1df0c99376f51c3ea31e38fb947ba43057cafa9a Mon Sep 17 00:00:00 2001
From: dgp <dgp@users.sourceforge.net>
Date: Mon, 29 Mar 2010 21:58:58 +0000
Subject:         * generic/tclStringObj.c:       Fix array overrun in test
 format-1.12         caught by valgrind testing.

---
 ChangeLog              | 5 +++++
 generic/tclStringObj.c | 4 ++--
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index de114f1..e419e2d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2010-03-29  Don Porter  <dgp@users.sourceforge.net>
+
+	* generic/tclStringObj.c:       Fix array overrun in test format-1.12
+	caught by valgrind testing.
+
 2010-03-27  Jan Nijtmans  <nijtmans@users.sf.net>
 
 	* generic/tclInt.h:	[FRQ 2974744]: share exception codes
diff --git a/generic/tclStringObj.c b/generic/tclStringObj.c
index 30851c1..e075d77 100644
--- a/generic/tclStringObj.c
+++ b/generic/tclStringObj.c
@@ -33,7 +33,7 @@
  * See the file "license.terms" for information on usage and redistribution of
  * this file, and for a DISCLAIMER OF ALL WARRANTIES.
  *
- * RCS: @(#) $Id: tclStringObj.c,v 1.134 2010/03/05 14:34:04 dkf Exp $ */
+ * RCS: @(#) $Id: tclStringObj.c,v 1.135 2010/03/29 21:58:58 dgp Exp $ */
 
 #include "tclInt.h"
 #include "tommath.h"
@@ -2131,7 +2131,7 @@ Tcl_AppendFormatToObj(
 		    int digitOffset;
 
 		    if (useBig && big.used) {
-			if ((size_t) shift <
+			if (index < big.used && (size_t) shift <
 				CHAR_BIT*sizeof(Tcl_WideUInt) - DIGIT_BIT) {
 			    bits |= ((Tcl_WideUInt) big.dp[index++]) << shift;
 			    shift += DIGIT_BIT;
-- 
cgit v0.12