Short: Array reference count bug
From: Daniel von Dincklage <vondincklage@usa.net>
Date: Mon, 22 Jun 1998 03:42:01 +0200
Type: Patch
State: Applied.

Could this cause b-990203-5?

Hi !
Heres another small patch for the 3.2.1@141-driver. It fixes
a coredump that occurs while accessing an array that previously
hit the upper size-limit for arrays.
Thanks to Foobar@Regenbogen for telling me about the bug.

interpret.c :
***************
*** 12066,12072 ****
      p_size = VEC_SIZE(p);
      q_size = VEC_SIZE(q);
      s = p->item;
!     if (!--p->ref) {
  #ifdef MALLOC_smalloc
        /* we must not free any old array before we did the assignment,
         * thus vanilla realloc is not acepptable.
--- 11948,11954 ----
      p_size = VEC_SIZE(p);
      q_size = VEC_SIZE(q);
      s = p->item;
!     if (!(p->ref - 1)) {
  #ifdef MALLOC_smalloc
        /* we must not free any old array before we did the assignment,
         * thus vanilla realloc is not acepptable.
***************
*** 12094,12099 ****
--- 11976,11982 ----
  #endif
        {
            r = allocate_uninit_array(p_size + q_size);
+             p->ref--;
            d = r->item;
            for (cnt = p_size; --cnt >= 0; ) {
                *d++ = *s++;
***************
*** 12101,12106 ****
--- 11984,11990 ----
        }
      } else {
        r = allocate_uninit_array(p_size + q_size);
+         p->ref--;
        d = r->item;
        for (cnt = p_size; --cnt >= 0; ) {
            assign_checked_svalue_no_free (d++, s++, inter_sp,
inter_pc);

- Daniel von Dincklage (Sunblade@SiliconDream|Gabilon)
--
 * Daniel von Dincklage (vonDincklage@ozet.de) *
Windows95 (noun): 32 bit extensions and a graphical shell for a 16 bit
patch to an 8 bit operating system originally coded for a 4 bit micro
processor, written by a 2 bit company that can't stand 1 bit of
competition.