Tcl Source Code: View Ticket

Ticket UUID:	5ee01098824881b5500e4692bcfa74eb853bc795
Title:	lseq list conversion results in attempt to access freed memory
Type:	Bug	Version:
Submitter:	pooryorick	Created on:	2023-05-17 11:50:56
Subsystem:	- New Builtin Commands	Assigned To:	pooryorick
Priority:	5 Medium	Severity:	Important
Status:	Closed	Last Modified:	2023-05-23 15:49:53
Resolution:	Fixed	Closed By:	pooryorick
		Closed on:	2023-05-23 15:49:53
Description:	In a build of trunk with --enable-symbols and CFLAGS="-DPURIFY", the following script `trace add variable one write [list ::apply [list args { error {this error} } [namespace current]]] set one [lindex [lreplace [lseq 1 2] 1 1 hello] 0]` Results in the following error: `malloc(): unaligned fastbin chunk detected 3` The reason is that `lreplace` converts the internal repesentation from `tclArithSeriesType` to <cod>tclListType, and `SetListFromAny()` handles the arithmetic series specially, forgetting to increment the reference count when each `Tcl_Obj` is added to the list. See this loop.
User Comments:	pooryorick added on 2023-05-17 12:12:43: Fixed in [e45cee0c53].