File tcsh-6.20-ptr-update.patch of Package tcsh.14996
The code in tw_str_add() attempts to be efficient by sliding the
pointers to reallocated elements within the string list to the new
virtual address using a computed offset between buffers.
For bounds checked pointers, this produces out of bounds pointers.
Additionally, the subtraction of pointers to different objects is
undefined in C so a sufficently "smart" compiler could chose to do
anything here since in knows the objects are different.
We need this change on our research platform to avoid crashes in tab
completion.
-- Brooks
commit 85489fafb8fd908ba307df0c774e1706c19cd4b8
Author: Brooks Davis <brooks@one-eyed-alien.net>
Date:   Wed Dec 7 01:04:14 2016 +0000
    Fix a pointer provenance error in list extension.
    
    When updating pointers to a buffer of linked list elements, derive
    the new pointers from the new buffer rather than updating the old pointers
    to the new virtual memory address of the buffer (resulting in out of bounds
    values).
---
 tw.init.c |    3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)
--- tw.init.c
+++ tw.init.c	2016-12-07 15:27:20.024397004 +0000
@@ -125,9 +125,8 @@ tw_str_add(stringlist_t *sl, size_t len)
 	sl->buff = xrealloc(sl->buff, sl->tbuff * sizeof(Char));
 	/* Re-thread the new pointer list, if changed */
 	if (ptr != NULL && ptr != sl->buff) {
-	    intptr_t offs = sl->buff - ptr;
 	    for (i = 0; i < sl->nlist; i++)
-		sl->list[i] += offs;
+		sl->list[i] = sl->buff + (sl->list[i] - ptr);
 	}
 	disabled_cleanup(&pintr_disabled);
     }