[RFC] Some coverity issues

[Mikael Magnusson <mikachu@xxxxxxxxx>]

Ran a coverity and it found some new stuff, this isn't all of them,
but in addition to the three below patches, it also flagged (CID
1692314) this bit in parse.c:

    wordcode pre[FD_PRELEN];
    memset(pre, 0, sizeof(wordcode) * FD_PRELEN);
        strcpy(fdversion(pre), ZSH_VERSION);

Now, it claims that the 13-character string "zsh-5.9.0.3-test" will
overrun the 12-character space pre+2, FD_PRELEN is 12, but wordcode is
int. Regardless of it misunderstanding (or me misunderstanding) how
big the space actually is, the strcpy is undeniably unbounded. Should
this be an strncpy and if so, how big should n be? Should we have some
other method of enforcing a maximum version string length?

The next line is:
        write_loop(dfd, (char *)pre, FD_PRELEN * sizeof(wordcode));

which might suggest that sizeof(wordcode)*FD_PRELEN could be a good
candidate? Modulo off-by-ones.

-- 
Mikael Magnusson

From ef054b044d0df5a06da6146d338b4e8bfa525190 Mon Sep 17 00:00:00 2001
From: Mikael Magnusson <mikachu@xxxxxxxxx>
Date: Wed, 29 Apr 2026 01:55:18 +0200
Subject: PATCH 1/3:  Coverity CID 1692320 fix potential leak

---
 Src/Modules/zutil.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/Src/Modules/zutil.c b/Src/Modules/zutil.c
index f13ac95ac8..05df2eb010 100644
--- a/Src/Modules/zutil.c
+++ b/Src/Modules/zutil.c
@@ -1401,8 +1401,10 @@ rmatch(RParseResult *sm, char *subj, char *var1, char *var2, int comp)
 	    next = br->state;
 	    if (next->pattern && !next->patprog) {
 	        tokenize(next->pattern);
-		if (!(next->patprog = patcompile(next->pattern, 0, NULL)))
+		if (!(next->patprog = patcompile(next->pattern, 0, NULL))) {
+		    freematch(&match1);
 		    return 3;
+		}
 	    }
 	    if (next->pattern && pattry(next->patprog, subj) &&
 		(!next->guard || (execstring(next->guard, 1, 0,
-- 
2.38.1

From f00c174ee9251d78a98e253de32202021f529641 Mon Sep 17 00:00:00 2001
From: Mikael Magnusson <mikachu@xxxxxxxxx>
Date: Wed, 29 Apr 2026 01:55:44 +0200
Subject: PATCH 2/3:  Coverity CID 1692322 i'm pretty sure this is a false
 positive so add a debug message just in case

---
 Src/glob.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/Src/glob.c b/Src/glob.c
index 18b25eb449..513b7963be 100644
--- a/Src/glob.c
+++ b/Src/glob.c
@@ -3072,6 +3072,8 @@ igetmatch(char **sp, Patprog p, int fl, int n, char *replstr,
 		imd.repllist = (fl & SUB_LIST) ? znewlinklist() : newlinklist();
 		if (repllistp)
 		     *repllistp = imd.repllist;
+		else
+		    DPUTS((fl & SUB_LIST), "leaking a linklist");
 	    }
 	    ioff = 0;		/* offset into string */
 	    umlen = umltot;
-- 
2.38.1

From 896c4861af696193a29dfb3ebc4673d373db3eb8 Mon Sep 17 00:00:00 2001
From: Mikael Magnusson <mikachu@xxxxxxxxx>
Date: Wed, 29 Apr 2026 02:07:42 +0200
Subject: PATCH 3/3:  Coverity CID 1692315 memcpy of uninitialized member
 winsize

I think this is not actually a problem but might as well initialize it.
---
 Src/Zle/termquery.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Src/Zle/termquery.c b/Src/Zle/termquery.c
index d8be6e49a1..9b22354973 100644
--- a/Src/Zle/termquery.c
+++ b/Src/Zle/termquery.c
@@ -209,7 +209,7 @@ probe_terminal(const char *tquery, seqstate_t *states,
     int *num = numbers;
     int finish = 0, number = 0;
     int ch;
-    struct ttyinfo ti, torig;
+    struct ttyinfo ti = { 0 }, torig;
     struct value vbuf;
     Value v = getvalue(&vbuf, &WAITVAR, 0);
     long timeout = v ? -1 - getintvalue(v) : TIMEOUT;
-- 
2.38.1