From 724fd07a67f135c74eba57e9f25fd342201ec722 Mon Sep 17 00:00:00 2001
From: Peter Stephenson <pws@users.sourceforge.net>
Date: Sat, 3 Dec 2011 17:24:45 +0000
Subject: 29934: Stef van Vlierberghe: uninitialised memory after lexer realloc

---
 ChangeLog |  7 ++++++-
 Src/lex.c | 12 ++----------
 2 files changed, 8 insertions(+), 11 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 4bf1f0bdd..b61f903bb 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2011-12-03  Peter Stephenson  <p.w.stephenson@ntlworld.com>
+
+	* From Stef VAN VLIERBERGHE: 29934: Src/lex.c (add): use of
+	uninitialised memoryx when lexer needed to reallocate token.
+
 2011-12-02  Peter Stephenson  <pws@csr.com>
 
 	* unposted: Test/B01cd.ztst: fix documentation for '*'
@@ -15645,5 +15650,5 @@
 
 *****************************************************
 * This is used by the shell to define $ZSH_PATCHLEVEL
-* $Revision: 1.5513 $
+* $Revision: 1.5514 $
 *****************************************************
diff --git a/Src/lex.c b/Src/lex.c
index 90c4effd9..05f54f842 100644
--- a/Src/lex.c
+++ b/Src/lex.c
@@ -567,22 +567,14 @@ add(int c)
 {
     *bptr++ = c;
     if (bsiz == ++len) {
-#if 0
-	int newbsiz;
-
-	newbsiz = bsiz * 8;
-	while (newbsiz < inbufct)
-	    newbsiz *= 2;
-	bptr = len + (tokstr = (char *)hrealloc(tokstr, bsiz, newbsiz));
-	bsiz = newbsiz;
-#endif
-
 	int newbsiz = bsiz * 2;
 
 	if (newbsiz > inbufct && inbufct > bsiz)
 	    newbsiz = inbufct;
 
 	bptr = len + (tokstr = (char *)hrealloc(tokstr, bsiz, newbsiz));
+	/* len == bsiz, so bptr is at the start of newly allocated memory */
+	memset(bptr, 0, newbsiz - bsiz);
 	bsiz = newbsiz;
     }
 }
-- 
cgit 1.4.1