I ran AFL fuzzer on your program and found pleny of crashes. But, mostly that happened because of passing NULL pointer to function such as strcmp. Most of the crashes happened at line 272 when strcmp is called. I fixed the problem by checking whether passing arguments to the tcl_var() are empty or not. For example, in tcl_cmd_set() function, you called tcl_var(). You can simply solve the problem by checking if var pointer is empty or not and then return FERROR if it is empty.