make-string et al nulls memory if not given an initializer

* libguile/gc-malloc.c: Add a note that the gc-malloc does not clear the memory block, so users need to make sure it is initialized. * libguile/bitvectors.c (scm_c_make_bitvector): * libguile/bytevectors.c (scm_make_bytevector): * libguile/strings.c (scm_c_make_string): If no initializer is given, initialize the bytes to 0. Prevents information leakage if an app uses make-string et al without initializers. * libguile/foreign.c (make_cif): Initialize this too, to prevent leakage in the struct holes. Paranoia...
2025-06-19 02:00:26 +02:00 · 2010-12-04 19:31:20 +01:00 · 2010-12-04 19:31:20 +01:00 · 3ef6650def
commit 3ef6650def
parent 8556760c23
5 changed files with 18 additions and 6 deletions
--- a/libguile/bitvectors.c
+++ b/libguile/bitvectors.c
@ -1,4 +1,4 @@
-/* Copyright (C) 1995,1996,1997,1998,2000,2001,2002,2003,2004, 2005, 2006, 2009 Free Software Foundation, Inc.
+/* Copyright (C) 1995,1996,1997,1998,2000,2001,2002,2003,2004, 2005, 2006, 2009, 2010 Free Software Foundation, Inc.
 * 
 * This library is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public License
@ -117,6 +117,8 @@ scm_c_make_bitvector (size_t len, SCM fill)

  if (!SCM_UNBNDP (fill))
    scm_bitvector_fill_x (res, fill);
+  else
+    memset (bits, 0, sizeof (scm_t_uint32) * word_len);
      
  return res;
 }
--- a/libguile/bytevectors.c
+++ b/libguile/bytevectors.c
@ -482,6 +482,8 @@ SCM_DEFINE (scm_make_bytevector, "make-bytevector", 1, 1, 0,
      for (i = 0; i < c_len; i++)
 	contents[i] = c_fill;
    }
+  else
+    memset (SCM_BYTEVECTOR_CONTENTS (bv), 0, c_len);

  return bv;
 }
--- a/libguile/foreign.c
+++ b/libguile/foreign.c
@ -609,6 +609,8 @@ make_cif (SCM return_type, SCM arg_types, const char *caller)
 	     + (nargs + n_struct_elts + 1)*sizeof(ffi_type));

  mem = scm_gc_malloc_pointerless (cif_len, "foreign");
+  /* ensure all the memory is initialized, even the holes */
+  memset (mem, 0, cif_len);
  cif = (ffi_cif *) mem;

  /* reuse cif_len to walk through the mem */
--- a/libguile/gc-malloc.c
+++ b/libguile/gc-malloc.c
@ -169,8 +169,10 @@ scm_gc_unregister_collectable_memory (void *mem, size_t size, const char *what)
 #endif
 }

-/* Allocate SIZE bytes of memory whose contents should not be scanned for
-   pointers (useful, e.g., for strings).  */
+/* Allocate SIZE bytes of memory whose contents should not be scanned
+   for pointers (useful, e.g., for strings).  Note though that this
+   memory is *not* cleared; be sure to initialize it to prevent
+   information leaks.  */
 void *
 scm_gc_malloc_pointerless (size_t size, const char *what)
 {
--- a/libguile/strings.c
+++ b/libguile/strings.c
@ -1112,7 +1112,7 @@ SCM_DEFINE (scm_make_string, "make-string", 1, 1, 0,
 	    "Return a newly allocated string of\n"
            "length @var{k}.  If @var{chr} is given, then all elements of\n"
 	    "the string are initialized to @var{chr}, otherwise the contents\n"
-	    "of the @var{string} are unspecified.")
+	    "of the @var{string} are all set to @var{#\nul}.")
 #define FUNC_NAME s_scm_make_string
 {
  return scm_c_make_string (scm_to_size_t (k), chr);
@ -1124,9 +1124,13 @@ scm_c_make_string (size_t len, SCM chr)
 #define FUNC_NAME NULL
 {
  size_t p;
-  SCM res = scm_i_make_string (len, NULL);
+  char *contents = NULL;
+  SCM res = scm_i_make_string (len, &contents);

-  if (!SCM_UNBNDP (chr))
+  /* If no char is given, initialize string contents to NULL.  */
+  if (SCM_UNBNDP (chr))
+    memset (contents, 0, len);
+  else
    {
      SCM_VALIDATE_CHAR (0, chr);
      res = scm_i_string_start_writing (res);