Fix for memory mgmt in variable expansion (Solaris 105-CR7032068)

This upstreams a Solaris patch: https://github.com/oracle/solaris-userland/blob/master/components/ksh93/patches/105-CR7032068.patch No other information is publicly available but this has been in production use on Solaris for a long time. It looks like this is intended to avoid an invalid free().
2025-03-09 15:50:02 +00:00 · 2021-01-09 00:28:11 +00:00 · 2021-01-09 00:28:11 +00:00 · 096f46eee5
commit 096f46eee5
parent 37637ab6b4
1 changed files with 6 additions and 1 deletions
--- a/src/cmd/ksh93/sh/macro.c
+++ b/src/cmd/ksh93/sh/macro.c
@ -1071,7 +1071,7 @@ static int varsub(Mac_t *mp)
 {
 	register int	c;
 	register int	type=0; /* M_xxx */
-	register char	*v,*argp=0;
+	register char	*v, *new_v=0, *argp=0;
 	register Namval_t	*np = NIL(Namval_t*);
 	register int 	dolg=0, mode=0;
 	Lex_t		*lp = (Lex_t*)mp->shp->lex_context;
@ -1450,6 +1450,7 @@ retry1:
 				if((mp->let || (mp->arith&&nv_isattr(np,(NV_LJUST|NV_RJUST|NV_ZFILL)))) && !nv_isattr(np,NV_INTEGER) && (offset==0 || isspace(c) || strchr(",.+-*/=%&|^?!<>",c)))
 					mp->zeros = 1;
 			}
+			new_v = v = strdup(v);
 			if(savptr==stakptr(0))
 				stkseek(stkp,offset);
 			else
@ -2018,6 +2019,8 @@ retry2:
 	}
 	if(np)
 		nv_close(np);
+	if(new_v)
+		free(new_v);
 	if(pattern)
 		free(pattern);
 	if(repstr)
@ -2026,6 +2029,8 @@ retry2:
 		free(idx);
 	return(1);
 nosub:
+	if(new_v)
+		free(new_v);
 	if(type==M_BRACE && sh_lexstates[ST_NORM][c]==S_BREAK)
 	{
 		fcseek(-1);