Re: uninitialized memory using a variable name of 31 or more characters

[Bart Schaefer <schaefer@xxxxxxxxxxxxxxxx>]

[Starting a new thread per Geoff's suggestion.]

On Dec 2, 10:54pm, VAN VLIERBERGHE Stef wrote:
} Subject: zsh-4.2.6-5.el5 rhel5.5 accesses uninitialized memory in an assig
}
} A week ago I identified the problem [attached mail: lex.c add() extends tokstr=calloc() by a non-zeroing hrealloc].
} 
} The bug is (rarely) triggered by : AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=""

> ...
> A simple solution is to set *bptr=0 at the end of function add, but I am not sure
> this has no other consequences, to be checked with zsh developers.

It's amazing to me that RedHat made this change without discovering that
it causes other/worse problems.  Zsh's own test suite fails if that change
is made:

Test/A01grammar.ztst: starting.
ZTST_getsect:14: invalid subscript
[repeat for all other tests]

One problem, I suppose, is that this inability to run the tests doesn't end
up causing the suite itself to report a failure:

**************************************
41 successful test scripts, 0 failures, 0 skipped
**************************************

} After:
} 	bptr = len + (tokstr = (char *)hrealloc(tokstr, bsiz, newbsiz));
} Add:
}       memset (bptr, 0, newbsiz - bsiz); /* len == bsiz, bptr points at first re-allocated byte, newbsiz - bsiz is size added */

This seems to work fine, the full test suite runs and passes.

Index: Src/lex.c
--- ../zsh-forge/current/Src/lex.c      2011-09-19 08:26:12.000000000 -0700
+++ ./Src/lex.c 2011-12-03 08:59:39.000000000 -0800
@@ -583,6 +583,7 @@
            newbsiz = inbufct;
 
        bptr = len + (tokstr = (char *)hrealloc(tokstr, bsiz, newbsiz));
+       memset(bptr, 0, newbsiz - bsiz);  /* tokstr came from calloc() */
        bsiz = newbsiz;
     }
 }