From 6f2c08cfba0904f3bbd9f983e04381b4e86fccee Mon Sep 17 00:00:00 2001
From: sebres <sebres@users.sourceforge.net>
Date: Fri, 18 Jul 2025 17:20:51 +0000
Subject: fixes [61c01e0edb08a9ed] (TclpMatchInDirectory, windows only),
 increment ref-count to avoid use-after-free for interim normalized path
 object, what may cause crash (SF/BO), usage of wrong path, etc.

---
 win/tclWinFile.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/win/tclWinFile.c b/win/tclWinFile.c
index d3c2e68..6ddb9d0 100644
--- a/win/tclWinFile.c
+++ b/win/tclWinFile.c
@@ -961,6 +961,7 @@ TclpMatchInDirectory(
 	if (fileNamePtr == NULL) {
 	    return TCL_ERROR;
 	}
+	Tcl_IncrRefCount(fileNamePtr); /* ensure it'd be alive, while used. */
 
 	/*
 	 * Verify that the specified path exists and is actually a directory.
@@ -968,11 +969,13 @@ TclpMatchInDirectory(
 
 	native = Tcl_FSGetNativePath(pathPtr);
 	if (native == NULL) {
+	    Tcl_DecrRefCount(fileNamePtr);
 	    return TCL_OK;
 	}
 	attr = (*tclWinProcs->getFileAttributesProc)(native);
 
 	if ((attr == 0xffffffff) || ((attr & FILE_ATTRIBUTE_DIRECTORY) == 0)) {
+	    Tcl_DecrRefCount(fileNamePtr);
 	    return TCL_OK;
 	}
 
@@ -990,6 +993,7 @@ TclpMatchInDirectory(
 	    Tcl_DStringAppend(&dsOrig, "/", 1);
 	    dirLength++;
 	}
+	Tcl_DecrRefCount(fileNamePtr);
 	dirName = Tcl_DStringValue(&dsOrig);
 
 	/*
-- 
cgit v0.12