From db28fb893dc50fd54f948ec4bf06c296cb4165f2 Mon Sep 17 00:00:00 2001
From: Miguel Sofer <miguel.sofer@gmail.com>
Date: Wed, 29 Sep 2004 19:36:34 +0000
Subject: fix for buffer overflow in [subst], [Bug 1036649]

---
 ChangeLog          |  6 ++++++
 generic/tclBasic.c | 12 +++++++++++-
 tests/subst.test   | 19 ++++++++++++++++++-
 3 files changed, 35 insertions(+), 2 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index d1de167..a44a78e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2004-09-29  Miguel Sofer <msofer@users.sf.net>
+
+	* generic/tclBasic.c (Tcl_EvalEx):
+	* tests/subst.test (12.1-2): fix for buffer overflow in [subst],
+	[Bug 1036649]
+
 2004-09-23  Mo DeJong  <mdejong@users.sourceforge.net>
 
 	* unix/dltest/Makefile.in (clean): Fixup make clean
diff --git a/generic/tclBasic.c b/generic/tclBasic.c
index f7116dd..8b199ce 100644
--- a/generic/tclBasic.c
+++ b/generic/tclBasic.c
@@ -13,7 +13,7 @@
  * See the file "license.terms" for information on usage and redistribution
  * of this file, and for a DISCLAIMER OF ALL WARRANTIES.
  *
- * RCS: @(#) $Id: tclBasic.c,v 1.75.2.9 2004/07/28 16:28:20 dgp Exp $
+ * RCS: @(#) $Id: tclBasic.c,v 1.75.2.10 2004/09/29 19:36:36 msofer Exp $
  */
 
 #include "tclInt.h"
@@ -3727,6 +3727,16 @@ Tcl_EvalEx(interp, script, numBytes, flags)
 	    return TCL_OK;
 	}
     } while (bytesLeft > 0);
+
+    if (nested) {
+	/*
+	 * This nested script did not terminate in ']', it is an error.
+	 */
+	
+	code = TCL_ERROR;
+	goto error;
+    }
+    
     iPtr->termOffset = p - script;
     iPtr->varFramePtr = savedVarFramePtr;
     return TCL_OK;
diff --git a/tests/subst.test b/tests/subst.test
index 792420a..2cab058 100644
--- a/tests/subst.test
+++ b/tests/subst.test
@@ -11,7 +11,7 @@
 # See the file "license.terms" for information on usage and redistribution
 # of this file, and for a DISCLAIMER OF ALL WARRANTIES.
 #
-# RCS: @(#) $Id: subst.test,v 1.13.2.2 2003/03/12 18:04:41 dgp Exp $
+# RCS: @(#) $Id: subst.test,v 1.13.2.3 2004/09/29 19:36:37 msofer Exp $
 
 if {[lsearch [namespace children] ::tcltest] == -1} {
     package require tcltest
@@ -220,6 +220,23 @@ test subst-11.6 {continue in a variable subst} {
     subst {foo $var([continue]) bar}
 } {foo  bar}
 
+test subst-12.1 {nasty case, Bug 1036649} {
+    for {set i 0} {$i < 10} {incr i} {
+	set res [list [catch {subst "\[subst {};"} msg] $msg]
+	if {$msg ne "missing close-bracket"} break
+    }
+    set res
+} {1 {missing close-bracket}}
+test subst-12.2 {nasty case, Bug 1036649} {
+    for {set i 0} {$i < 10} {incr i} {
+	list [catch {subst "\[subst {}; "} msg] $msg
+	if {$msg ne "missing close-bracket"} break
+    }
+    set res
+} {1 {missing close-bracket}}
+
+
+
 # cleanup
 ::tcltest::cleanupTests
 return
-- 
cgit v0.12