From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 8174 invoked by alias); 3 Dec 2011 17:13:16 -0000 Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm Precedence: bulk X-No-Archive: yes List-Id: Zsh Workers List List-Post: List-Help: X-Seq: 29934 Received: (qmail 3749 invoked from network); 3 Dec 2011 17:13:15 -0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on f.primenet.com.au X-Spam-Level: X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.2 Received-SPF: neutral (ns1.primenet.com.au: 209.85.215.171 is neither permitted nor denied by SPF record at ntlworld.com) X-ProxyUser-IP: 86.6.29.42 Date: Sat, 3 Dec 2011 17:13:04 +0000 From: Peter Stephenson To: "VAN VLIERBERGHE Stef" , Cc: "Genot, Harry" , "BOVEN Tom" , "LORANG Geert" , "VAN DE VOORDE Bart" , "Bart van den Heuvel" , "CFMU HP Verbeke K" , "Godts, Jeroen" , "BRENTA Ludovic" , "WAROQUIERS Philippe" , "MEERSMAN Koen" , "FERNANDEZ Roberto" , "WILLEMS Eric" , "MAES Stefan" , "THIAVILLE Eric" , "BESSIERES Marc" Subject: Re: zsh-4.2.6-5.el5 rhel5.5 accesses uninitialized memory in an assignment statement using a variable name of 31 or more characters. Message-ID: <20111203171304.6ab684bd@pws-pc.ntlworld.com> In-Reply-To: <1B2B2EF98D55CB41BD16F13B18B9B008134CC157@FFBRUE001.cfmu.corp.eurocontrol.int> References: <1B2B2EF98D55CB41BD16F13B18B9B008134CC157@FFBRUE001.cfmu.corp.eurocontrol.int> X-Mailer: Claws Mail 3.7.9 (GTK+ 2.24.7; x86_64-redhat-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit On Fri, 2 Dec 2011 22:54:34 +0100 "VAN VLIERBERGHE Stef" wrote: > A more conservative workaround would be to only set the memory > extension to zero immediately after the hrealloc call, getting > something like a hrecalloc effect, this is much less likely to trigger > other side-effects : > > After: > bptr = len + (tokstr = (char *)hrealloc(tokstr, bsiz, newbsiz)); > Add: > memset (bptr, 0, newbsiz - bsiz); /* len == bsiz, bptr points at first re-allocated byte, newbsiz - bsiz is size added */ This looks a safe and robust fix, and isn't obviously inefficient given that the original allocation is doing the equivalent clearing of memory. I'll apply the following patch to the current head (post 4.3.13) (it also deletes some cruft there's no need to propagate). Thanks. Index: Src/lex.c =================================================================== RCS file: /cvsroot/zsh/zsh/Src/lex.c,v retrieving revision 1.68 diff -p -u -r1.68 lex.c --- Src/lex.c 15 Sep 2011 14:04:51 -0000 1.68 +++ Src/lex.c 3 Dec 2011 17:09:58 -0000 @@ -567,22 +567,14 @@ add(int c) { *bptr++ = c; if (bsiz == ++len) { -#if 0 - int newbsiz; - - newbsiz = bsiz * 8; - while (newbsiz < inbufct) - newbsiz *= 2; - bptr = len + (tokstr = (char *)hrealloc(tokstr, bsiz, newbsiz)); - bsiz = newbsiz; -#endif - int newbsiz = bsiz * 2; if (newbsiz > inbufct && inbufct > bsiz) newbsiz = inbufct; bptr = len + (tokstr = (char *)hrealloc(tokstr, bsiz, newbsiz)); + /* len == bsiz, so bptr is at the start of newly allocated memory */ + memset(bptr, 0, newbsiz - bsiz); bsiz = newbsiz; } } -- Peter Stephenson Web page now at http://homepage.ntlworld.com/p.w.stephenson/