From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 7333 invoked by alias); 5 Dec 2011 20:17:51 -0000 Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm Precedence: bulk X-No-Archive: yes List-Id: Zsh Workers List List-Post: List-Help: X-Seq: 29947 Received: (qmail 7450 invoked from network); 5 Dec 2011 20:17:48 -0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on f.primenet.com.au X-Spam-Level: X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED autolearn=ham version=3.3.2 Received-SPF: pass (ns1.primenet.com.au: SPF record at spf.postini.com designates 64.18.3.40 as permitted sender) X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Subject: RE: uninitialized memory using a variable name of 31 or more characters Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Date: Mon, 5 Dec 2011 21:17:36 +0100 Message-ID: <1B2B2EF98D55CB41BD16F13B18B9B008134CC171@FFBRUE001.cfmu.corp.eurocontrol.int> In-Reply-To: <111203132149.ZM30666@torch.brasslantern.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: uninitialized memory using a variable name of 31 or more characters Thread-Index: AcyyAZnHHpTLPI7KR1SWYiRv74wK2ABh9qmw References: <1B2B2EF98D55CB41BD16F13B18B9B008134CC157@FFBRUE001.cfmu.corp.eurocontrol.int> <111203132149.ZM30666@torch.brasslantern.com> From: "VAN VLIERBERGHE Stef" To: "Bart Schaefer" , , "Peter Stephenson" Cc: "Godts, Jeroen" , "Bart van den Heuvel" , "Genot, Harry" , "WAROQUIERS Philippe" , "LORANG Geert" X-OriginalArrivalTime: 05 Dec 2011 20:17:37.0560 (UTC) FILETIME=[EE873980:01CCB38A] Thank you both. Initially I thought it was safer to use the *bptr=3D0 fix because I was not sure that the tokstr buffer was always freshly allocated, if somewhere bptr is set back to the beginning (tokstr) then the problem would still exist (but be triggered even more rarely). If you are sure that bptr can only advance, then it seems to me that you can also remove the temporary zero byte insertion further down in lex.c : int sav =3D *bptr; *bptr =3D '\0'; t =3D itype_end(t, IIDENT, 0); if (t < bptr) { skipparens(Inbrack, Outbrack, &t); } else { *bptr =3D sav; } I already asked Bart if RedHat would be willing to put in the valgrind instrumentation needed to catch errors like these systematically, and he was wondering if you would agree to such a change. I believe it would be a good idea, but I understand it would be silly for RedHat to spend the effort if you would not accept it. Bart also confirmed that RedHat did run the test suite, so I guess they expected the suite to report the error. Best regards. -----Original Message----- From: Bart Schaefer [mailto:schaefer@brasslantern.com] Sent: Saturday 3 December 2011 22:22 To: zsh-workers@zsh.org Cc: Godts, Jeroen; Bart van den Heuvel; Genot, Harry; VAN VLIERBERGHE Stef Subject: Re: uninitialized memory using a variable name of 31 or more characters [Starting a new thread per Geoff's suggestion.] On Dec 2, 10:54pm, VAN VLIERBERGHE Stef wrote: } Subject: zsh-4.2.6-5.el5 rhel5.5 accesses uninitialized memory in an assig } } A week ago I identified the problem [attached mail: lex.c add() extends tokstr=3Dcalloc() by a non-zeroing hrealloc]. } } The bug is (rarely) triggered by : AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=3D"" > ... > A simple solution is to set *bptr=3D0 at the end of function add, but I am not sure > this has no other consequences, to be checked with zsh developers. It's amazing to me that RedHat made this change without discovering that it causes other/worse problems. Zsh's own test suite fails if that change is made: Test/A01grammar.ztst: starting. ZTST_getsect:14: invalid subscript [repeat for all other tests] One problem, I suppose, is that this inability to run the tests doesn't end up causing the suite itself to report a failure: ************************************** 41 successful test scripts, 0 failures, 0 skipped ************************************** } After: } bptr =3D len + (tokstr =3D (char *)hrealloc(tokstr, bsiz, newbsiz)); } Add: } memset (bptr, 0, newbsiz - bsiz); /* len =3D=3D bsiz, bptr points at first re-allocated byte, newbsiz - bsiz is size added */ This seems to work fine, the full test suite runs and passes. Index: Src/lex.c --- ../zsh-forge/current/Src/lex.c 2011-09-19 08:26:12.000000000 -0700 +++ ./Src/lex.c 2011-12-03 08:59:39.000000000 -0800 @@ -583,6 +583,7 @@ newbsiz =3D inbufct; bptr =3D len + (tokstr =3D (char *)hrealloc(tokstr, bsiz, newbsiz)); + memset(bptr, 0, newbsiz - bsiz); /* tokstr came from calloc() */ bsiz =3D newbsiz; } } ____ =C2=A0 This message and any files transmitted with it are legally privileged and in= tended for the sole use of the individual(s) or entity to whom they are addr= essed. If you are not the intended recipient, please notify the sender by re= ply and delete the message and any attachments from your system. Any unautho= rised use or disclosure of the content of this message is strictly prohibite= d and may be unlawful. =C2=A0 Nothing in this e-mail message amounts to a contractual or legal commitment = on the part of EUROCONTROL, unless it is confirmed by appropriately signed h= ard copy. =C2=A0 Any views expressed in this message are those of the sender.