Re: zsh-4.2.6-5.el5 rhel5.5 accesses uninitialized memory in an assignment statement using a variable name of 31 or more characters.

[Peter Stephenson <p.w.stephenson@ntlworld.com>]

On Fri, 2 Dec 2011 22:54:34 +0100
"VAN VLIERBERGHE Stef" <stef.van-vlierberghe@eurocontrol.int> wrote:
> A more conservative workaround would be to only set the memory
> extension to zero immediately after the hrealloc call, getting
> something like a hrecalloc effect, this is much less likely to trigger
> other side-effects :
> 
> After:
> 	bptr = len + (tokstr = (char *)hrealloc(tokstr, bsiz, newbsiz));
> Add:
>       memset (bptr, 0, newbsiz - bsiz); /* len == bsiz, bptr points at first re-allocated byte, newbsiz - bsiz is size added */

This looks a safe and robust fix, and isn't obviously inefficient given
that the original allocation is doing the equivalent clearing of memory.
I'll apply the following patch to the current head (post 4.3.13) (it
also deletes some cruft there's no need to propagate).

Thanks.

Index: Src/lex.c
===================================================================
RCS file: /cvsroot/zsh/zsh/Src/lex.c,v
retrieving revision 1.68
diff -p -u -r1.68 lex.c
--- Src/lex.c	15 Sep 2011 14:04:51 -0000	1.68
+++ Src/lex.c	3 Dec 2011 17:09:58 -0000
@@ -567,22 +567,14 @@ add(int c)
 {
     *bptr++ = c;
     if (bsiz == ++len) {
-#if 0
-	int newbsiz;
-
-	newbsiz = bsiz * 8;
-	while (newbsiz < inbufct)
-	    newbsiz *= 2;
-	bptr = len + (tokstr = (char *)hrealloc(tokstr, bsiz, newbsiz));
-	bsiz = newbsiz;
-#endif
-
 	int newbsiz = bsiz * 2;
 
 	if (newbsiz > inbufct && inbufct > bsiz)
 	    newbsiz = inbufct;
 
 	bptr = len + (tokstr = (char *)hrealloc(tokstr, bsiz, newbsiz));
+	/* len == bsiz, so bptr is at the start of newly allocated memory */
+	memset(bptr, 0, newbsiz - bsiz);
 	bsiz = newbsiz;
     }
 }


-- 
Peter Stephenson <p.w.stephenson@ntlworld.com>
Web page now at http://homepage.ntlworld.com/p.w.stephenson/