From 4968ffa1ce26b16430b8237f14784242c1075a1b Mon Sep 17 00:00:00 2001
From: dgp <dgp@users.sourceforge.net>
Date: Thu, 15 Sep 2022 15:59:11 +0000
Subject: [51d5f22997] Protect against passing negative size to Tcl_NewListObj.

---
 generic/tclProc.c | 2 +-
 tests/proc.test   | 7 +++++++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/generic/tclProc.c b/generic/tclProc.c
index b846269..4d421c7 100644
--- a/generic/tclProc.c
+++ b/generic/tclProc.c
@@ -1431,7 +1431,7 @@ InitArgsAndLocals(
 
     varPtr->flags = 0;
     if (defPtr && defPtr->flags & VAR_IS_ARGS) {
-	Tcl_Obj *listPtr = Tcl_NewListObj(argCt-i, argObjs+i);
+	Tcl_Obj *listPtr = Tcl_NewListObj((argCt>i)? argCt-i : 0, argObjs+i);
 
 	varPtr->value.objPtr = listPtr;
 	Tcl_IncrRefCount(listPtr);	/* Local var is a reference. */
diff --git a/tests/proc.test b/tests/proc.test
index b87af57..118dca1 100644
--- a/tests/proc.test
+++ b/tests/proc.test
@@ -412,6 +412,13 @@ test proc-7.5 {[631b4c45df] Crash in argument processing} {
     unset -nocomplain val
 } {}
 
+test proc-7.6 {[51d5f22997] Crash in argument processing} -cleanup {
+    rename foo {}
+} -body {
+    proc foo {{x {}} {y {}} args} {}
+    foo
+} -result {}
+
 
 # cleanup
 catch {rename p ""}
-- 
cgit v0.12