The code in tw_str_add() attempts to be efficient by sliding the pointers to reallocated elements within the string list to the new virtual address using a computed offset between buffers. For bounds checked pointers, this produces out of bounds pointers. Additionally, the subtraction of pointers to different objects is undefined in C so a sufficently "smart" compiler could chose to do anything here since in knows the objects are different. We need this change on our research platform to avoid crashes in tab completion. -- Brooks commit 85489fafb8fd908ba307df0c774e1706c19cd4b8 Author: Brooks Davis Date: Wed Dec 7 01:04:14 2016 +0000 Fix a pointer provenance error in list extension. When updating pointers to a buffer of linked list elements, derive the new pointers from the new buffer rather than updating the old pointers to the new virtual memory address of the buffer (resulting in out of bounds values). --- tw.init.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) --- tw.init.c +++ tw.init.c 2016-12-07 15:27:20.024397004 +0000 @@ -125,9 +125,8 @@ tw_str_add(stringlist_t *sl, size_t len) sl->buff = xrealloc(sl->buff, sl->tbuff * sizeof(Char)); /* Re-thread the new pointer list, if changed */ if (ptr != NULL && ptr != sl->buff) { - intptr_t offs = sl->buff - ptr; for (i = 0; i < sl->nlist; i++) - sl->list[i] += offs; + sl->list[i] = sl->buff + (sl->list[i] - ptr); } disabled_cleanup(&pintr_disabled); }