From 1aec9b06dd0de6c6796702cd128fd796ec7b1c09 Mon Sep 17 00:00:00 2001
From: Johnothan King <johnothanking@protonmail.com>
Date: Sat, 1 May 2021 20:06:30 -0700
Subject: [PATCH] Fix more bugs that occur when enabling ASan (#293)

src/cmd/ksh93/{bltins/typeset,sh/name,sh/nvtree,sh/nvtype}.c:
- Replace more instances of memcmp with strncmp to fix
  heap-buffer-overflow errors when running the regression tests
  with ASan enabled.

src/cmd/ksh93/edit/vi.c:
- Fix an invalid dereference of the 'p' pointer to fix a crash in
  vi mode when entering a comment in the command history. This
  bugfix was backported from ksh2020:
  https://github.com/att/ast/issues/798

src/cmd/ksh93/tests/pty.sh:
- Add a regression test for the vi mode crash.
---
 src/cmd/ksh93/bltins/typeset.c |  2 +-
 src/cmd/ksh93/edit/vi.c        |  2 +-
 src/cmd/ksh93/sh/name.c        |  2 +-
 src/cmd/ksh93/sh/nvtree.c      |  2 +-
 src/cmd/ksh93/sh/nvtype.c      |  2 +-
 src/cmd/ksh93/tests/pty.sh     | 15 +++++++++++++++
 6 files changed, 20 insertions(+), 5 deletions(-)

diff --git a/src/cmd/ksh93/bltins/typeset.c b/src/cmd/ksh93/bltins/typeset.c
index 496d2fe33..eaf0fda55 100644
--- a/src/cmd/ksh93/bltins/typeset.c
+++ b/src/cmd/ksh93/bltins/typeset.c
@@ -1581,7 +1581,7 @@ static void print_scan(Sfio_t *file, int flag, Dt_t *root, int option,struct tda
 			if(name)
 			{
 				char *newname = nv_name(np);
-				if(memcmp(name,newname,len)==0 && newname[len]== '.')
+				if(strncmp(name,newname,len)==0 && newname[len]== '.')
 					continue;
 				name = 0;
 			}
diff --git a/src/cmd/ksh93/edit/vi.c b/src/cmd/ksh93/edit/vi.c
index 1a672bc38..511812d44 100644
--- a/src/cmd/ksh93/edit/vi.c
+++ b/src/cmd/ksh93/edit/vi.c
@@ -992,7 +992,7 @@ static int cntlmode(Vi_t *vp)
 				c = (virtual[0]=='#');
 				while(p-- >= virtual)
 				{
-					if(*p=='\n' || p<virtual)
+					if(p<virtual || *p=='\n')
 					{
 						if(c) /* delete '#' */
 						{
diff --git a/src/cmd/ksh93/sh/name.c b/src/cmd/ksh93/sh/name.c
index cbcfb5d1b..7e2422984 100644
--- a/src/cmd/ksh93/sh/name.c
+++ b/src/cmd/ksh93/sh/name.c
@@ -187,7 +187,7 @@ Namval_t *nv_addnode(Namval_t* np, int remove)
 		nv_delete(np,root,NV_NOFREE);
 		np = nv_search(sp->rp->nvname,root,NV_ADD);
 	}
-	if(sp->numnodes && memcmp(np->nvname,NV_CLASS,sizeof(NV_CLASS)-1))
+	if(sp->numnodes && strncmp(np->nvname,NV_CLASS,sizeof(NV_CLASS)-1))
 	{
 		name = (sp->nodes[0])->nvname;
 		i = strlen(name);
diff --git a/src/cmd/ksh93/sh/nvtree.c b/src/cmd/ksh93/sh/nvtree.c
index 9d5da4e30..d803e2c35 100644
--- a/src/cmd/ksh93/sh/nvtree.c
+++ b/src/cmd/ksh93/sh/nvtree.c
@@ -181,7 +181,7 @@ void *nv_diropen(Namval_t *np,const char *name)
 		{
 			char *cp = nv_name(dp->hp);
 			c = strlen(cp);
-			if(memcmp(name,cp,c) || name[c]!='[')
+			if(strncmp(name,cp,c) || name[c]!='[')
 				dp->hp = (Namval_t*)dtnext(dp->root,dp->hp);
 			else
 			{
diff --git a/src/cmd/ksh93/sh/nvtype.c b/src/cmd/ksh93/sh/nvtype.c
index d61d1de27..3ec80584d 100644
--- a/src/cmd/ksh93/sh/nvtype.c
+++ b/src/cmd/ksh93/sh/nvtype.c
@@ -883,7 +883,7 @@ Namval_t *nv_mktype(Namval_t **nodes, int numnodes)
 				continue;
 		}
 		nnodes++;
-		if(name && memcmp(&name[m],&np->nvname[m],n)==0 && np->nvname[m+n]=='.')
+		if(name && strncmp(&name[m],&np->nvname[m],n)==0 && np->nvname[m+n]=='.')
 			offset -= sizeof(char*);
 		dsize = nv_datasize(np,&offset);
 		if(!nv_isarray(np) && (dp=(Namtype_t*)nv_hasdisc(np, &type_disc)))
diff --git a/src/cmd/ksh93/tests/pty.sh b/src/cmd/ksh93/tests/pty.sh
index ac897196f..02771ab7f 100755
--- a/src/cmd/ksh93/tests/pty.sh
+++ b/src/cmd/ksh93/tests/pty.sh
@@ -826,5 +826,20 @@ w :\E_
 r ^:test-2: : One\\ "Two Three"\$'Four Five'\.mp3\r\n$
 !
 
+# err_exit #
+((SHOPT_VSH)) && tst $LINENO <<"!"
+L crash when entering comment into history file (vi mode)
+# https://github.com/att/ast/issues/798
+
+d 15
+p :test-1:
+c foo \E#
+r ^:test-1: #foo\r\n$
+w hist -lnN 1
+r ^:test-2: hist -lnN 1\r\n$
+r \t#foo\r\n$
+r \thist -lnN 1\r\n$
+!
+
 # ======
 exit $((Errors<125?Errors:125))