From e51eaf9011544d3ccb2756c1e458cc42aeddd877 Mon Sep 17 00:00:00 2001
From: dkf <donal.k.fellows@manchester.ac.uk>
Date: Fri, 15 Mar 2002 15:39:06 +0000
Subject: Fixed buffer overrun reported in 530320; luckily it is not likely to
 be exploitable in any meaningful way, but crashing Tcl instead of triggering
 an error still isn't good.

---
 ChangeLog            | 6 ++++++
 generic/tclCompile.c | 7 ++++---
 tests/compile.test   | 9 ++++++++-
 3 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index a05afdc..9b665fc 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2002-03-15  Donal K. Fellows  <fellowsd@cs.man.ac.uk>
+
+	* tests/compile.test (compile-12.3): Test to detect bug 530320.
+	* generic/tclCompile.c (TclCompileTokens): Fixed buffer overrun
+	reported in bug 530320.
+
 2002-03-14  Mo DeJong  <mdejong@users.sourceforge.net>
 
 	* win/configure: Regen.
diff --git a/generic/tclCompile.c b/generic/tclCompile.c
index 24a8693..d461309 100644
--- a/generic/tclCompile.c
+++ b/generic/tclCompile.c
@@ -11,7 +11,7 @@
  * See the file "license.terms" for information on usage and redistribution
  * of this file, and for a DISCLAIMER OF ALL WARRANTIES.
  *
- * RCS: @(#) $Id: tclCompile.c,v 1.31 2002/01/25 20:40:55 dgp Exp $
+ * RCS: @(#) $Id: tclCompile.c,v 1.32 2002/03/15 15:39:06 dkf Exp $
  */
 
 #include "tclInt.h"
@@ -1239,10 +1239,11 @@ TclCompileTokens(interp, tokenPtr, count, envPtr)
 		    code = TclCompileTokens(interp, tokenPtr+2,
 			    tokenPtr->numComponents-1, envPtr);
 		    if (code != TCL_OK) {
-			sprintf(buffer,
+			char errorBuffer[150];
+			sprintf(errorBuffer,
 			        "\n    (parsing index for array \"%.*s\")",
 				((nameBytes > 100)? 100 : nameBytes), name);
-			Tcl_AddObjErrorInfo(interp, buffer, -1);
+			Tcl_AddObjErrorInfo(interp, errorBuffer, -1);
 			goto error;
 		    }
 		    if (localVar < 0) {
diff --git a/tests/compile.test b/tests/compile.test
index 03f8295..7086de5 100644
--- a/tests/compile.test
+++ b/tests/compile.test
@@ -11,7 +11,7 @@
 # See the file "license.terms" for information on usage and redistribution
 # of this file, and for a DISCLAIMER OF ALL WARRANTIES.
 #
-# RCS: @(#) $Id: compile.test,v 1.17 2001/12/06 10:59:17 dkf Exp $
+# RCS: @(#) $Id: compile.test,v 1.18 2002/03/15 15:39:07 dkf Exp $
 
 if {[lsearch [namespace children] ::tcltest] == -1} {
     package require tcltest
@@ -285,6 +285,13 @@ test compile-12.2 {testing error on literal deletion} {memDebug execCommandExist
     catch {::tcltest::removeFile source.file}
     set res
 } 0
+# Test to catch buffer overrun in TclCompileTokens from buf 530320
+test compile-12.3 {check for a buffer overrun} {
+    proc crash {} {
+	puts $array([expr {a+2}])
+    }
+    list [catch crash msg] $msg
+} {1 {syntax error in expression "a+2": variable references require preceding $}}
 
 # Special test for underestimating the maxStackSize required for a
 # compiled command. A failure will cause a segfault in the child 
-- 
cgit v0.12