From 3ef6650def28f7c29a2cc983086468d3195167d4 Mon Sep 17 00:00:00 2001 From: Andy Wingo Date: Sat, 4 Dec 2010 19:31:20 +0100 Subject: [PATCH] make-string et al nulls memory if not given an initializer * libguile/gc-malloc.c: Add a note that the gc-malloc does not clear the memory block, so users need to make sure it is initialized. * libguile/bitvectors.c (scm_c_make_bitvector): * libguile/bytevectors.c (scm_make_bytevector): * libguile/strings.c (scm_c_make_string): If no initializer is given, initialize the bytes to 0. Prevents information leakage if an app uses make-string et al without initializers. * libguile/foreign.c (make_cif): Initialize this too, to prevent leakage in the struct holes. Paranoia... --- libguile/bitvectors.c | 4 +++- libguile/bytevectors.c | 2 ++ libguile/foreign.c | 2 ++ libguile/gc-malloc.c | 6 ++++-- libguile/strings.c | 10 +++++++--- 5 files changed, 18 insertions(+), 6 deletions(-) diff --git a/libguile/bitvectors.c b/libguile/bitvectors.c index 67f5abdfb..65fc021d4 100644 --- a/libguile/bitvectors.c +++ b/libguile/bitvectors.c @@ -1,4 +1,4 @@ -/* Copyright (C) 1995,1996,1997,1998,2000,2001,2002,2003,2004, 2005, 2006, 2009 Free Software Foundation, Inc. +/* Copyright (C) 1995,1996,1997,1998,2000,2001,2002,2003,2004, 2005, 2006, 2009, 2010 Free Software Foundation, Inc. * * This library is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public License @@ -117,6 +117,8 @@ scm_c_make_bitvector (size_t len, SCM fill) if (!SCM_UNBNDP (fill)) scm_bitvector_fill_x (res, fill); + else + memset (bits, 0, sizeof (scm_t_uint32) * word_len); return res; } diff --git a/libguile/bytevectors.c b/libguile/bytevectors.c index 31703bf2e..30adbff57 100644 --- a/libguile/bytevectors.c +++ b/libguile/bytevectors.c @@ -482,6 +482,8 @@ SCM_DEFINE (scm_make_bytevector, "make-bytevector", 1, 1, 0, for (i = 0; i < c_len; i++) contents[i] = c_fill; } + else + memset (SCM_BYTEVECTOR_CONTENTS (bv), 0, c_len); return bv; } diff --git a/libguile/foreign.c b/libguile/foreign.c index b50f5a17b..082ec7f05 100644 --- a/libguile/foreign.c +++ b/libguile/foreign.c @@ -609,6 +609,8 @@ make_cif (SCM return_type, SCM arg_types, const char *caller) + (nargs + n_struct_elts + 1)*sizeof(ffi_type)); mem = scm_gc_malloc_pointerless (cif_len, "foreign"); + /* ensure all the memory is initialized, even the holes */ + memset (mem, 0, cif_len); cif = (ffi_cif *) mem; /* reuse cif_len to walk through the mem */ diff --git a/libguile/gc-malloc.c b/libguile/gc-malloc.c index e409b6eb2..4f77f65dd 100644 --- a/libguile/gc-malloc.c +++ b/libguile/gc-malloc.c @@ -169,8 +169,10 @@ scm_gc_unregister_collectable_memory (void *mem, size_t size, const char *what) #endif } -/* Allocate SIZE bytes of memory whose contents should not be scanned for - pointers (useful, e.g., for strings). */ +/* Allocate SIZE bytes of memory whose contents should not be scanned + for pointers (useful, e.g., for strings). Note though that this + memory is *not* cleared; be sure to initialize it to prevent + information leaks. */ void * scm_gc_malloc_pointerless (size_t size, const char *what) { diff --git a/libguile/strings.c b/libguile/strings.c index a30545079..729b33d2e 100644 --- a/libguile/strings.c +++ b/libguile/strings.c @@ -1112,7 +1112,7 @@ SCM_DEFINE (scm_make_string, "make-string", 1, 1, 0, "Return a newly allocated string of\n" "length @var{k}. If @var{chr} is given, then all elements of\n" "the string are initialized to @var{chr}, otherwise the contents\n" - "of the @var{string} are unspecified.") + "of the @var{string} are all set to @var{#\nul}.") #define FUNC_NAME s_scm_make_string { return scm_c_make_string (scm_to_size_t (k), chr); @@ -1124,9 +1124,13 @@ scm_c_make_string (size_t len, SCM chr) #define FUNC_NAME NULL { size_t p; - SCM res = scm_i_make_string (len, NULL); + char *contents = NULL; + SCM res = scm_i_make_string (len, &contents); - if (!SCM_UNBNDP (chr)) + /* If no char is given, initialize string contents to NULL. */ + if (SCM_UNBNDP (chr)) + memset (contents, 0, len); + else { SCM_VALIDATE_CHAR (0, chr); res = scm_i_string_start_writing (res); -- 2.20.1