#2208 Free memory read tkOption.c SetupStacks

[Zed]

In tkOption.c:SetupStacks (lines 1343-1374 v1.18) there is a free memory read. I'm not familiar with this code so I don't fancy checking it in and haven't done so before.

The cause appears to be access to system stacks element pointers that have been reallocated within the same loop the pointer was assigned.

I tried the following changes and it prevented the free memory read and there was no noticeable strangeness happening in my fairly complex GUI:

Changed section in tkOption.c:SetupStacks:

for (iPtr = searchOrder; *iPtr != -1; iPtr++) {
register Element *elPtr;
int count, current; /* current added */
Tk_Uid id;

i = *iPtr;
if (i & CLASS) {
id = winPtr->classUid;
} else {
id = winPtr->nameUid;
}
#if 0 /* removed */
elPtr = tsdPtr->stacks[i]->els;
count = levelPtr->bases[i];
#endif
current = 0; /* current added */
count = tsdPtr->stacks[i]->numUsed; /* count initialised from current stacks */

/*
* For wildcard stacks, check all entries; for non-wildcard
* stacks, only check things that matched in the parent.
*/

if (!(i & WILDCARD)) {
#if 0 /* removed */
elPtr += levelPtr[-1].bases[i];
#endif
current = levelPtr[-1].bases[i]; /* I think level above should not change in this loop */
count -= current;
}
/* Always get elPtr anew after ExtendStacks() is called. */
for ( elPtr = tsdPtr->stacks[i]->els + current; count > 0;
current++, elPtr = tsdPtr->stacks[i]->els + current, count-- ) {
if (elPtr->nameUid != id) {
continue;
}
ExtendStacks(elPtr->child.arrayPtr, leaf);
}
}

It didn't fix my crash, but hey that's life.