From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <zsh-workers-return-29938-mason-zsh=primenet.com.au@zsh.org>
Received: (qmail 26777 invoked by alias); 3 Dec 2011 21:22:11 -0000
Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm
Precedence: bulk
X-No-Archive: yes
List-Id: Zsh Workers List <zsh-workers.zsh.org>
List-Post: <mailto:zsh-workers@zsh.org>
List-Help: <mailto:zsh-workers-help@zsh.org>
X-Seq: 29938
Received: (qmail 23896 invoked from network); 3 Dec 2011 21:22:09 -0000
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on f.primenet.com.au
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_NONE
	autolearn=ham version=3.3.2
Received-SPF: none (ns1.primenet.com.au: domain at closedmail.com does not designate permitted sender hosts)
From: Bart Schaefer <schaefer@brasslantern.com>
Message-id: <111203132149.ZM30666@torch.brasslantern.com>
Date: Sat, 03 Dec 2011 13:21:49 -0800
In-reply-to:
 <1B2B2EF98D55CB41BD16F13B18B9B008134CC157@FFBRUE001.cfmu.corp.eurocontrol.int>
Comments: In reply to "VAN VLIERBERGHE Stef"
 <stef.van-vlierberghe@eurocontrol.int>
 "zsh-4.2.6-5.el5 rhel5.5 accesses uninitialized memory in an assignment
 statement using a variable name of 31 or more characters." (Dec  2, 10:54pm)
X-Mailer: OpenZMail Classic (0.9.2 24April2005)
To: <zsh-workers@zsh.org>
Subject: Re: uninitialized memory using a variable name of 31 or more characters
Cc: "Godts, Jeroen" <godts@hp.com>,
 "Bart van den Heuvel" <bvandenh@redhat.com>,
 "Genot, Harry" <harry.genot@hp.com>,
 VAN VLIERBERGHE Stef <stef.van-vlierberghe@eurocontrol.int>
MIME-version: 1.0
Content-type: text/plain; charset=us-ascii

[Starting a new thread per Geoff's suggestion.]

On Dec 2, 10:54pm, VAN VLIERBERGHE Stef wrote:
} Subject: zsh-4.2.6-5.el5 rhel5.5 accesses uninitialized memory in an assig
}
} A week ago I identified the problem [attached mail: lex.c add() extends tokstr=calloc() by a non-zeroing hrealloc].
} 
} The bug is (rarely) triggered by : AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=""

> ...
> A simple solution is to set *bptr=0 at the end of function add, but I am not sure
> this has no other consequences, to be checked with zsh developers.

It's amazing to me that RedHat made this change without discovering that
it causes other/worse problems.  Zsh's own test suite fails if that change
is made:

Test/A01grammar.ztst: starting.
ZTST_getsect:14: invalid subscript
[repeat for all other tests]

One problem, I suppose, is that this inability to run the tests doesn't end
up causing the suite itself to report a failure:

**************************************
41 successful test scripts, 0 failures, 0 skipped
**************************************

} After:
} 	bptr = len + (tokstr = (char *)hrealloc(tokstr, bsiz, newbsiz));
} Add:
}       memset (bptr, 0, newbsiz - bsiz); /* len == bsiz, bptr points at first re-allocated byte, newbsiz - bsiz is size added */

This seems to work fine, the full test suite runs and passes.

Index: Src/lex.c
--- ../zsh-forge/current/Src/lex.c      2011-09-19 08:26:12.000000000 -0700
+++ ./Src/lex.c 2011-12-03 08:59:39.000000000 -0800
@@ -583,6 +583,7 @@
            newbsiz = inbufct;
 
        bptr = len + (tokstr = (char *)hrealloc(tokstr, bsiz, newbsiz));
+       memset(bptr, 0, newbsiz - bsiz);  /* tokstr came from calloc() */
        bsiz = newbsiz;
     }
 }