Tcl Source Code: View Ticket

2023-06-27
22:00		• Ticket [26960060d7] lseq-3.14 triggers use-after-free status still Open with 5 other changes artifact: 491b671f56 user: chrstphrchvz
2023-05-23
15:49		• Closed ticket [5ee0109882]: lseq list conversion results in attempt to access freed memory plus 4 other changes artifact: 1b9038c37d user: pooryorick
2023-05-17
12:12		• Pending ticket [5ee0109882]. artifact: 6354af3f3a user: pooryorick
12:09		Fix for [5ee01098824881b5], lseq list conversion results in attempt to access freed memory. check-in: e45cee0c53 user: pooryorick tags: trunk, main
11:57		• Ticket [5ee0109882] lseq list conversion results in attempt to access freed memory status still Open with 5 other changes artifact: 05962b38fc user: pooryorick
11:50		• New ticket [5ee0109882]. artifact: 452a317ccb user: pooryorick

Ticket UUID:	5ee01098824881b5500e4692bcfa74eb853bc795
Title:	lseq list conversion results in attempt to access freed memory
Type:	Bug	Version:
Submitter:	pooryorick	Created on:	2023-05-17 11:50:56
Subsystem:	- New Builtin Commands	Assigned To:	pooryorick
Priority:	5 Medium	Severity:	Important
Status:	Closed	Last Modified:	2023-05-23 15:49:53
Resolution:	Fixed	Closed By:	pooryorick
		Closed on:	2023-05-23 15:49:53
Description:	In a build of trunk with --enable-symbols and CFLAGS="-DPURIFY", the following script `trace add variable one write [list ::apply [list args { error {this error} } [namespace current]]] set one [lindex [lreplace [lseq 1 2] 1 1 hello] 0]` Results in the following error: `malloc(): unaligned fastbin chunk detected 3` The reason is that `lreplace` converts the internal repesentation from `tclArithSeriesType` to <cod>tclListType, and `SetListFromAny()` handles the arithmetic series specially, forgetting to increment the reference count when each `Tcl_Obj` is added to the list. See this loop.
User Comments:	pooryorick added on 2023-05-17 12:12:43: Fixed in [e45cee0c53].