CVE-2025-9640: s3/modules/vfs_streams_xattr fix unitialized write

This commit fixes a situation in which vfs_streams_xattr could
write unitialized memory into alternate data streams if the
user writes to an offset that is beyond the current end of file
to insert a hole in it.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15885

Signed-off-by: Andrew Walker <[email protected]>
Reviewed-by: Volker Lendecke <[email protected]>

Autobuild-User(master): Volker Lendecke <[email protected]>
Autobuild-Date(master): Thu Oct 16 19:47:19 UTC 2025 on atb-devel-224

Author: anodos325

source3/modules/vfs_streams_xattr.c

@@ -1051,15 +1051,18 @@ static ssize_t streams_xattr_pwrite(vfs_handle_struct *handle,
 
         if ((offset + n) > ea.value.length-1) {
 		uint8_t *tmp;
+		size_t new_sz = offset + n + 1;
 
 		tmp = talloc_realloc(talloc_tos(), ea.value.data, uint8_t,
-					   offset + n + 1);
+					   new_sz);
 
 		if (tmp == NULL) {
 			TALLOC_FREE(ea.value.data);
                         errno = ENOMEM;
                         return -1;
                 }
+
+		memset(tmp + ea.value.length, 0, new_sz - ea.value.length);
 		ea.value.data = tmp;
 		ea.value.length = offset + n + 1;
 		ea.value.data[offset+n] = 0;