From 83ec300abdbc8486b4fd3272cd74a9c3f162ad7f Mon Sep 17 00:00:00 2001
From: dgp <dgp@users.sourceforge.net>
Date: Fri, 9 Nov 2018 15:39:26 +0000
Subject: Revise bug fix to support (length == 0) correctly. Added comments and
 improved safety in caller.

---
 generic/tclListObj.c | 19 ++++++++++++++++++-
 generic/tclUtil.c    | 21 +++++++++++++++++----
 2 files changed, 35 insertions(+), 5 deletions(-)

diff --git a/generic/tclListObj.c b/generic/tclListObj.c
index e1dba8c..09ad034 100644
--- a/generic/tclListObj.c
+++ b/generic/tclListObj.c
@@ -1872,7 +1872,21 @@ UpdateStringOfList(
      * Pass 2: copy into string rep buffer.
      */
 
+    /*
+     * We used to set the string length here, relying on a presumed
+     * guarantee that the number of bytes TclScanElement() calls reported
+     * to be needed was a precise count and not an over-estimate, so long
+     * as the same flag values were passed to TclConvertElement().
+     *
+     * Then we saw [35a8f1c04a], where a bug in TclScanElement() caused
+     * that guarantee to fail. Rather than trust there are no more bugs,
+     * we set the length after the loop based on what was actually written,
+     * an not on what was predicted.
+     *
     listPtr->length = bytesNeeded - 1;
+     *
+     */
+
     listPtr->bytes = ckalloc((unsigned) bytesNeeded);
     dst = listPtr->bytes;
     for (i = 0; i < numElems; i++) {
@@ -1881,7 +1895,10 @@ UpdateStringOfList(
 	dst += TclConvertElement(elem, length, dst, flagPtr[i]);
 	*dst++ = ' ';
     }
-    listPtr->bytes[listPtr->length] = '\0';
+    dst[-1] = '\0';
+
+    /* Here is the safe setting of the string length. */
+    listPtr->length = dst - 1 - listPtr->bytes;
 
     if (flagPtr != localFlags) {
 	ckfree((char *) flagPtr);
diff --git a/generic/tclUtil.c b/generic/tclUtil.c
index 2a0d51a..d065069 100644
--- a/generic/tclUtil.c
+++ b/generic/tclUtil.c
@@ -944,10 +944,6 @@ TclScanElement(
     int preferEscape = 0;	/* Use preferences to track whether to use */
     int preferBrace = 0;	/* CONVERT_MASK mode. */
     int braceCount = 0;		/* Count of all braces '{' '}' seen. */
-
-    if ((*src == '#') && !(*flagPtr & TCL_DONT_QUOTE_HASH)) {
-	preferBrace = 1;
-    }
 #endif
 
     if ((p == NULL) || (length == 0) || ((*p == '\0') && (length == -1))) {
@@ -956,6 +952,23 @@ TclScanElement(
 	return 2;
     }
 
+#if COMPAT
+    /*
+     * We have an established history in TclConvertElement() when quoting
+     * because of a leading hash character to force what would be the
+     * CONVERT_MASK mode into the CONVERT_BRACE mode. That is, we format
+     * the element #{a"b} like this:
+     *			{#{a"b}}
+     * and not like this:
+     *			\#{a\"b}
+     * This is inconsistent with [list x{a"b}], but we will not change that now.
+     * Set that preference here so that we compute a tight size requirement.
+     */
+    if ((*src == '#') && !(*flagPtr & TCL_DONT_QUOTE_HASH)) {
+	preferBrace = 1;
+    }
+#endif
+
     if ((*p == '{') || (*p == '"')) {
 	/*
 	 * Must escape or protect so leading character of value is not
-- 
cgit v0.12