From 47855ace43a7f946266bfc62a9cb919d478c9580 Mon Sep 17 00:00:00 2001 From: ashok Date: Fri, 14 Nov 2014 04:15:10 +0000 Subject: Fix [d43a10ce2fed950e00890049f3c273f2cdd12583|d43a10ce2f]: tk_getOpenFile crashes when passed a bad -typevariable. Crash was caused by access to a list element after the Tcl_Obj was shimmered to a variable intrep. --- win/tkWinDialog.c | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/win/tkWinDialog.c b/win/tkWinDialog.c index c90d05a..37e4dfb 100644 --- a/win/tkWinDialog.c +++ b/win/tkWinDialog.c @@ -1739,9 +1739,24 @@ static int GetFileNameXP(Tcl_Interp *interp, OFNOpts *optsPtr, enum OFNOper oper listObjv[ofn.nFilterIndex - 1], &count, &typeInfo) != TCL_OK) { result = TCL_ERROR; - } else if (Tcl_ObjSetVar2(interp, optsPtr->typeVariableObj, NULL, - typeInfo[0], TCL_GLOBAL_ONLY|TCL_LEAVE_ERR_MSG) == NULL) { - result = TCL_ERROR; + } else { + /* + * BUGFIX for d43a10ce2fed950e00890049f3c273f2cdd12583 + * The original code was broken because it passed typeinfo[0] + * directly into Tcl_ObjSetVar2. In the case of typeInfo[0] + * pointing into a list which is also referenced by + * typeVariableObj, TOSV2 shimmers the object into + * variable intrep which loses the list representation. + * This invalidates typeInfo[0] which is freed but + * nevertheless stored as the value of the variable. + */ + Tcl_Obj *selFilterObj = typeInfo[0]; + Tcl_IncrRefCount(selFilterObj); + if (Tcl_ObjSetVar2(interp, optsPtr->typeVariableObj, NULL, + selFilterObj, TCL_GLOBAL_ONLY|TCL_LEAVE_ERR_MSG) == NULL) { + result = TCL_ERROR; + } + Tcl_DecrRefCount(selFilterObj); } } } else if (cdlgerr == FNERR_INVALIDFILENAME) { -- cgit v0.12