netbsd-bugs: bin/5861: lint(1) uses uninitialized memory, etc.

Subject: bin/5861: lint(1) uses uninitialized memory, etc.
To: None <gnats-bugs@gnats.netbsd.org>
From: ITOH Yasufumi <yasufu-i@is.aist-nara.ac.jp>
List: netbsd-bugs
Date: 07/27/1998 19:23:12
>Number:         5861
>Category:       bin
>Synopsis:       lint(1) uses uninitialized memory, etc.
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bin-bug-people (Utility Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Jul 27 03:35:01 1998
>Last-Modified:
>Originator:     ITOH Yasufumi
>Organization:
	Nara Institute of Science and Technology, Nara, Japan
>Release:        1.3F (July 26, 1998)
>Environment:
System: NetBSD acha.my.domain 1.3F NetBSD 1.3F (DONALD) #1: Wed Jul 15 01:52:49 JST 1998 itohy@myname.my.domain:/usr/src/sys.test/arch/x68k/compile/DONALD x68k


>Description:
	I found the following bugs on lint(1):

	1. uninitialized memory may be used.
	2. many "NULL"s are used for integer 0's and even for floating 0's.

>How-To-Repeat:
	These bugs seem not revealed on NetBSD for now, but worth fixing.
	I had trouble in constructing m68k cross environment on Solaris
	(Solaris needs more patches besides this).

	If you want to see the bugs appear, try this:

	1. insert such code as  memset(p, 0xff, sizeof(...));
	   after every malloc, xmalloc, etc., and try running xlint.
	2. add  -DNULL='((void *)0)'  to the CPPFLAGS of the Makefiles of
	   xlint source, and make.

>Fix:
	Apply this patch.

diff -uF^[a-zA-Z_][a-z 	A-Z0-9_]*(.*[^;]$ src/usr.bin/xlint/lint2/chk.c.orig src/usr.bin/xlint/lint2/chk.c
--- src/usr.bin/xlint/lint2/chk.c.orig	Mon Feb 23 21:15:15 1998
+++ src/usr.bin/xlint/lint2/chk.c	Mon Jul 27 14:06:47 1998
@@ -709,7 +709,7 @@ printflike(hte, call, n, fmt, ap)
 	const	char *fp;
 	int	fc;
 	int	fwidth, prec, left, sign, space, alt, zero;
-	tspec_t	sz, t1, t2 = NULL;
+	tspec_t	sz, t1, t2 = NOTSPEC;
 	type_t	*tp;
 
 	fp = fmt;
@@ -939,7 +939,7 @@ scanflike(hte, call, n, fmt, ap)
 	const	char *fp;
 	int	fc;
 	int	noasgn, fwidth;
-	tspec_t	sz, t1 = NULL, t2 = NULL;
+	tspec_t	sz, t1 = NOTSPEC, t2 = NOTSPEC;
 	type_t	*tp = NULL;
 
 	fp = fmt;
diff -uF^[a-zA-Z_][a-z 	A-Z0-9_]*(.*[^;]$ src/usr.bin/xlint/lint2/read.c.orig src/usr.bin/xlint/lint2/read.c
--- src/usr.bin/xlint/lint2/read.c.orig	Mon Feb 23 21:15:16 1998
+++ src/usr.bin/xlint/lint2/read.c	Mon Jul 27 14:06:47 1998
@@ -1189,6 +1189,7 @@ mkstatic(hte)
 	 */
 	for (nhte = hte; nhte->h_link != NULL; nhte = nhte->h_link) ;
 	nhte->h_link = xmalloc(sizeof (hte_t));
+	bzero(nhte->h_link, sizeof (hte_t));
 	nhte = nhte->h_link;
 	nhte->h_name = hte->h_name;
 	nhte->h_static = 1;
diff -uF^[a-zA-Z_][a-z 	A-Z0-9_]*(.*[^;]$ src/usr.bin/xlint/lint2/hash.c.orig src/usr.bin/xlint/lint2/hash.c
--- src/usr.bin/xlint/lint2/hash.c.orig	Mon Feb 23 21:15:15 1998
+++ src/usr.bin/xlint/lint2/hash.c	Mon Jul 27 14:06:47 1998
@@ -112,6 +112,7 @@ _hsearch(table, s, mknew)
 
 	/* create a new hte */
 	hte = xmalloc(sizeof (hte_t));
+	bzero(hte, sizeof (hte_t));
 	hte->h_name = xstrdup(s);
 	hte->h_lsym = &hte->h_syms;
 	hte->h_lcall = &hte->h_calls;
diff -uF^[a-zA-Z_][a-z 	A-Z0-9_]*(.*[^;]$ src/usr.bin/xlint/lint1/decl.c.orig src/usr.bin/xlint/lint1/decl.c
--- src/usr.bin/xlint/lint1/decl.c.orig	Mon Feb 23 21:15:11 1998
+++ src/usr.bin/xlint/lint1/decl.c	Mon Jul 27 14:06:50 1998
@@ -1450,7 +1450,7 @@ chkfdef(sym, msg)
 dname(sym)
 	sym_t	*sym;
 {
-	scl_t	sc = NULL;
+	scl_t	sc = NOSCL;
 
 	if (sym->s_scl == NOSCL) {
 		dcs->d_rdcsym = NULL;
@@ -1580,7 +1580,7 @@ mktag(tag, kind, decl, semi)
 	tspec_t	kind;
 	int	decl, semi;
 {
-	scl_t	scl = NULL;
+	scl_t	scl = NOSCL;
 	type_t	*tp;
 
 	if (kind == STRUCT) {
diff -uF^[a-zA-Z_][a-z 	A-Z0-9_]*(.*[^;]$ src/usr.bin/xlint/lint1/tree.c.orig src/usr.bin/xlint/lint1/tree.c
--- src/usr.bin/xlint/lint1/tree.c.orig	Thu Apr  9 20:12:45 1998
+++ src/usr.bin/xlint/lint1/tree.c	Mon Jul 27 14:06:51 1998
@@ -769,7 +769,8 @@ typeok(op, arg, ln, rn)
 	tnode_t	*ln, *rn;
 {
 	mod_t	*mp;
-	tspec_t	lt, rt = NULL, lst = NULL, rst = NULL, olt = NULL, ort = NULL;
+	tspec_t	lt, rt = NOTSPEC, lst = NOTSPEC, rst = NOTSPEC,
+		olt = NOTSPEC, ort = NOTSPEC;
 	type_t	*ltp, *rtp = NULL, *lstp = NULL, *rstp = NULL;
 	tnode_t	*tn;
 
@@ -1220,7 +1221,7 @@ asgntypok(op, arg, ln, rn)
 	int	arg;
 	tnode_t	*ln, *rn;
 {
-	tspec_t	lt, rt, lst = NULL, rst = NULL;
+	tspec_t	lt, rt, lst = NOTSPEC, rst = NOTSPEC;
 	type_t	*ltp, *rtp, *lstp = NULL, *rstp = NULL;
 	mod_t	*mp;
 	const	char *lts, *rts;
@@ -1673,7 +1674,7 @@ convert(op, arg, tp, tn)
 	tnode_t	*tn;
 {
 	tnode_t	*ntn;
-	tspec_t	nt, ot, ost = NULL;
+	tspec_t	nt, ot, ost = NOTSPEC;
 
 	if (tn->tn_lvalue)
 		lerror("convert() 1");
@@ -1915,7 +1916,7 @@ cvtcon(op, arg, tp, nv, v)
 	val_t	*nv, *v;
 {
 	tspec_t	ot, nt;
-	ldbl_t	max = NULL, min = NULL;
+	ldbl_t	max = 0.0, min = 0.0;
 	int	sz, rchk;
 	quad_t	xmask, xmsk1;
 	int	osz, nsz;
@@ -3881,7 +3882,7 @@ precconf(tn)
 	tnode_t	*tn;
 {
 	tnode_t	*ln, *rn;
-	op_t	lop, rop = NULL;
+	op_t	lop, rop = NOOP;
 	int	lparn, rparn = 0;
 	mod_t	*mp;
 	int	warn;
>Audit-Trail:
>Unformatted: