From 20c0ed50e35e6075f82eb87fdeb7a13e522b710a Mon Sep 17 00:00:00 2001
From: sebres <sebres@users.sourceforge.net>
Date: Thu, 26 Jul 2018 15:57:38 +0000
Subject: [PATCH 1329/1800] closes [d051b77fc18d7340]: fixed segfault by
 integer overflow (if width by format like "%4000000000g" overflows to
 negative values by scan of length)

---
 generic/tclStringObj.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/generic/tclStringObj.c b/generic/tclStringObj.c
index 996be77ee..462ef0424 100644
--- a/generic/tclStringObj.c
+++ b/generic/tclStringObj.c
@@ -1938,6 +1938,10 @@ Tcl_AppendFormatToObj(
 	width = 0;
 	if (isdigit(UCHAR(ch))) {
 	    width = strtoul(format, &end, 10);
+	    if (width < 0) {
+		msg = overflow;
+		goto errorMsg;
+	    }
 	    format = end;
 	    step = TclUtfToUniChar(format, &ch);
 	} else if (ch == '*') {
-- 
2.19.1