Uninitialized memory use in unix/memquery_library_bounds_by_iterator

Created by: Carrotman42

While writing a unit test for memquery_library_bounds_by_iterator, I discovered a bug related to uninitialized memory. Specifically, we are not correctly zero-terminating a string after using strncpy. (This is different than the problem that i#3387 references.)

The strncpy in question is on L146: https://github.com/DynamoRIO/dynamorio/blob/c8d5db27d4c28b33b63f5176bf52eb7f89ae0aaf/core/unix/memquery.c#L138-L157

Assuming that dstsz is greater than slash - src, this will cause the first slash - src bytes to be copied into dst; given that we know slash is a pointer to the inside of src, we can be sure that strncpy writes up to that number of bytes and correctly avoids writing a 0 byte to terminate the string. Later the code attempts to fix the issue by saying dst[dstsz - 1] = '\0', but that leaves the middle part of the string still completely uninitialized.

This causes problems later in the algorithm, since (in some cases) the dst is stored into name_cmp and used to compare consecutive mappings' comment fields, causing them to be mismatched in cases where the uninitialized memory was not 0 already.

I have a simple fix locally which simply null-terminates this 'dst' string more proactively.