From 7e727bed70653d181a190d921ea951707ad4078a Mon Sep 17 00:00:00 2001
From: sebres <sebres@users.sourceforge.net>
Date: Thu, 26 Jul 2018 15:57:38 +0000
Subject: closes [d051b77fc18d7340]: fixed segfault by integer overflow (if
 width by format like "%4000000000g" overflows to negative values by scan of
 length)

---
 generic/tclStringObj.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/generic/tclStringObj.c b/generic/tclStringObj.c
index 996be77..462ef04 100644
--- a/generic/tclStringObj.c
+++ b/generic/tclStringObj.c
@@ -1938,6 +1938,10 @@ Tcl_AppendFormatToObj(
 	width = 0;
 	if (isdigit(UCHAR(ch))) {
 	    width = strtoul(format, &end, 10);
+	    if (width < 0) {
+		msg = overflow;
+		goto errorMsg;
+	    }
 	    format = end;
 	    step = Tcl_UtfToUniChar(format, &ch);
 	} else if (ch == '*') {
-- 
cgit v0.12