From 9a61b13bc442e1dda387aed0d76605813368b09a Mon Sep 17 00:00:00 2001
From: itojun <itojun>
Date: Mon, 12 Feb 2001 00:53:12 +0000
Subject: do not reference freed memory region.  found by mallof.conf=AJ

---
 chat/icb/files/patch-sum  |  3 ++-
 chat/icb/patches/patch-at | 40 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 42 insertions(+), 1 deletion(-)
 create mode 100644 chat/icb/patches/patch-at

diff --git a/chat/icb/files/patch-sum b/chat/icb/files/patch-sum
index 3a1ca986e26..b047dc05c3c 100644
--- a/chat/icb/files/patch-sum
+++ b/chat/icb/files/patch-sum
@@ -1,4 +1,4 @@
-$NetBSD: patch-sum,v 1.1.1.1 2000/12/15 00:36:37 wiz Exp $
+$NetBSD: patch-sum,v 1.2 2001/02/12 00:53:12 itojun Exp $
 
 MD5 (patch-aa) = f6342b55aa894c06fdc83bbc3a8d9ecc
 MD5 (patch-ab) = af1c56e0de45046d2f36c1b4b7558741
@@ -19,3 +19,4 @@ MD5 (patch-ap) = ddd5c1ff9deb3e7c38264675305b0098
 MD5 (patch-aq) = ab312e8e310b08633a504b6c19aa2289
 MD5 (patch-ar) = 06c67af14f9a8ae76bf48ad4a07a2087
 MD5 (patch-as) = fb3e96b60ffb3c4f754749b6a3a40c65
+MD5 (patch-at) = 81e340834f993bbd7038206b3bb2b78a
diff --git a/chat/icb/patches/patch-at b/chat/icb/patches/patch-at
new file mode 100644
index 00000000000..8e2d0b608eb
--- /dev/null
+++ b/chat/icb/patches/patch-at
@@ -0,0 +1,40 @@
+$NetBSD: patch-at,v 1.1 2001/02/12 00:53:14 itojun Exp $
+
+--- tcl/tclProc.c-	Mon Feb 12 09:46:23 2001
++++ tcl/tclProc.c	Mon Feb 12 09:49:35 2001
+@@ -690,7 +690,7 @@
+     char **argv;		/* Argument values. */
+ {
+     char **args;
+-    register Var *formalPtr, *argPtr;
++    register Var *formalPtr, *argPtr, *nextPtr;
+     register Interp *iPtr = (Interp *) interp;
+     CallFrame frame;
+     char *value, *end;
+@@ -700,6 +700,7 @@
+      * Set up a call frame for the new procedure invocation.
+      */
+ 
++    memset(&frame, 0, sizeof(frame));
+     iPtr = procPtr->iPtr;
+     frame.varPtr = NULL;
+     if (iPtr->varFramePtr != NULL) {
+@@ -793,7 +794,8 @@
+      */
+ 
+     procDone:
+-    for (argPtr = frame.varPtr; argPtr != NULL; argPtr = argPtr->nextPtr) {
++    for (argPtr = frame.varPtr; argPtr != NULL; argPtr = nextPtr) {
++	nextPtr = argPtr->nextPtr;
+ 	if (argPtr->flags & VAR_DYNAMIC) {
+ 	    free(argPtr->value);
+ 	}
+@@ -919,7 +921,7 @@
+     if (valueLength < 20) {
+ 	valueLength = 20;
+     }
+-    varPtr = (Var *) malloc(VAR_SIZE(nameLength, valueLength));
++    varPtr = (Var *) calloc(1, VAR_SIZE(nameLength, valueLength));
+     strcpy(varPtr->name, name);
+     varPtr->value = varPtr->name + nameLength + 1;
+     strcpy(varPtr->value, value);
-- 
cgit v1.2.3