From d69162dbf46c88003584c195119b5793e18c8f48 Mon Sep 17 00:00:00 2001
From: Andrew Tridgell <andrew@tridgell.net>
Date: Wed, 22 Apr 2026 10:59:11 +1000
Subject: [PATCH 30/60] zero all new memory from allocations

Change my_alloc() to use calloc instead of malloc so all fresh
allocations return zeroed memory. Also zero the expanded portion
in expand_item_list() after realloc, since it knows both old and
new sizes. This gives more predictable behaviour in case of bugs
where uninitialised or stale memory is accidentally accessed.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 util1.c | 2 ++
 util2.c | 4 +---
 2 files changed, 3 insertions(+), 3 deletions(-)

Index: rsync-3.1.3/util.c
===================================================================
--- rsync-3.1.3.orig/util.c
+++ rsync-3.1.3/util.c
@@ -1804,28 +1804,27 @@ void *expand_item_list(item_list *lp, si
 	/* First time through, 0 <= 0, so list is expanded. */
 	if (lp->malloced <= lp->count) {
 		void *new_ptr;
-		size_t new_size = lp->malloced;
+		size_t expand_size;
 		if (incr < 0)
-			new_size += -incr; /* increase slowly */
-		else if (new_size < (size_t)incr)
-			new_size = incr;
-		else if (new_size)
-			new_size *= 2;
+			expand_size = -incr; /* increase slowly */
+		else if (lp->malloced < (size_t)incr)
+			expand_size = incr - lp->malloced;
+		else if (lp->malloced)
+			expand_size = lp->malloced; /* double in size */
 		else
-			new_size = 1;
-		if (new_size <= lp->malloced)
+			expand_size = 1;
+		if (SIZE_MAX/item_size - expand_size < lp->malloced)
 			overflow_exit("expand_item_list");
-		new_ptr = realloc_buf(lp->items, new_size * item_size);
+		expand_size += lp->malloced;
+		new_ptr = realloc_buf(lp->items, expand_size * item_size);
 		if (DEBUG_GTE(FLIST, 3)) {
 			rprintf(FINFO, "[%s] expand %s to %s bytes, did%s move\n",
-				who_am_i(), desc, big_num(new_size * item_size),
+				who_am_i(), desc, big_num(expand_size * item_size),
 				new_ptr == lp->items ? " not" : "");
 		}
-		if (!new_ptr)
-			out_of_memory("expand_item_list");
 
 		lp->items = new_ptr;
-		lp->malloced = new_size;
+		lp->malloced = expand_size;
 	}
 	return (char*)lp->items + (lp->count++ * item_size);
 }