Some functions that were passed string "out" paramters (char**)'s were

neglecting to assign them in error cases. We'd return from the C function
into the cig C stub with random garbage still in these pointers. The
string rep converters would then treat this garbage as a real pointer to
be copied into malloc'd storage, and havoc would result.

I fixed the code to assign 0 to the pointers in error cases. I should fix
cig to pre-initialise out parameters. The only real problem code was in
userinfo1.c, but I scanned all the sources, and fixed a few suspicious cases
here and there as well.

scsh/dirstuff1.c

@@ -45,7 +45,10 @@ int open_dir(const char *dirname,  char ***fnames, int *len)
     int num_entries;
     int e; /* errno temp */
 
-    if( NULL == (d = opendir(dirname)) ) return errno;
+    if( NULL == (d = opendir(dirname)) ) {
+      fnames = 0; len = 0;
+      return errno;
+      }
     
     entries = NULL; num_entries = 0;
     while( NULL != (dirent = readdir(d)) ) {
@@ -79,6 +82,7 @@ int open_dir(const char *dirname,  char ***fnames, int *len)
   lose1: e = errno; Free(dep);
   lose2: closedir(d);
   lose3: free_dirent_list(entries);
+    fnames = 0; len = 0;
     return e;
     }
 

scsh/network1.c

@@ -314,8 +314,10 @@ int scheme_getsockopt_linger (int s,
   struct linger optval;
   int optlen=sizeof(optval);
   
-  if (getsockopt(s,level,optname,(char *)&optval,&optlen) == -1)
+  if (getsockopt(s,level,optname,(char *)&optval,&optlen) == -1) {
+    out_time = 0;
     return(-1);
+    }
   *out_time=optval.l_linger;
   return(optval.l_onoff);
 }
@@ -328,8 +330,10 @@ int scheme_getsockopt_timeout (int s,
   struct timeval optval;
   int optlen=sizeof(optval);
   
-  if (getsockopt(s,level,optname,(char *)&optval,&optlen) == -1)
+  if (getsockopt(s,level,optname,(char *)&optval,&optlen) == -1) {
+    out_usec = 0;
     return(-1);
+    }
   *out_usec=optval.tv_usec;
   return(optval.tv_sec);
 }

scsh/syscalls1.c

@@ -211,7 +211,7 @@ int scheme_cwd(const char **dirp)
  lose:
   {int e = errno;
    Free(buf);
-   *dirp = NULL;
+   *dirp = 0;
    return e;}
 }
 
@@ -233,7 +233,7 @@ int scheme_cwd(const char **dirp)
   /* lose */
   e = errno;
   Free(buf);
-  *dirp = NULL;
+  *dirp = 0;
   return e;
 }
 #endif

scsh/userinfo1.c

@@ -54,7 +54,13 @@ int user_info_uid(uid_t uid,
 		  char **name, gid_t *gid, char **dir, char **shell)
 {
     struct passwd *pwd = getpwuid(uid);
-    if( !pwd ) return 0;
+    if( !pwd ) {
+        *name = 0;
+	*gid  = 0;
+	*dir  = 0;
+	*shell = 0;
+	return 0;
+        }
     *name = pwd->pw_name;
     *gid  = pwd->pw_gid;
     *dir  = pwd->pw_dir;
@@ -66,7 +72,13 @@ int user_info_name(const char *name,
 		   uid_t *uid, gid_t *gid, char **dir, char **shell)
 {
     struct passwd *pwd = getpwnam(name);
-    if( !pwd ) return 0;
+    if( !pwd ) {
+        *uid   = 0;
+	*gid   = 0;
+	*dir   = 0;
+	*shell = 0;
+	return 0;
+        }
     *uid  = pwd->pw_uid;
     *gid  = pwd->pw_gid;
     *dir  = pwd->pw_dir;
@@ -78,7 +90,12 @@ int user_info_name(const char *name,
 int group_info_gid (int gid,  char **name, char ***members, int *nmembers)
 {
     struct group *grp = getgrgid(gid);
-    if( !grp ) return 0;
+    if( !grp ) {
+        name = 0;
+	members = 0;
+	nmembers = 0;
+        return 0;
+        }
     *name = grp->gr_name;
     *members = grp->gr_mem;
     *nmembers = strvec_len(grp->gr_mem);
@@ -89,7 +106,12 @@ int group_info_name (const char *name,
 		     int *gid, char ***members, int *nmembers)
 {
     struct group *grp = getgrnam(name);
-    if( !grp ) return 0;
+    if( !grp ) {
+        gid = 0;
+	members = 0;
+	nmembers = 0;
+        return 0;
+        }
     *gid = grp->gr_gid;
     *members = grp->gr_mem;
     *nmembers = strvec_len(grp->gr_mem);