nv_clone(): don't call num_clone() for array nodes

num_clone handles simple numeric values of all types but not array nodes. Calling it for an array node caused the arith.sh regression test below to crash in num_clone() with a buffer overflow when ksh is compiled with AddressSanitizer. The array has the NV_INTEGER attribute because it is an array of numeric values, but that doesn't mean the array node itself holds a number. After this, all the arith.sh tests pass with AddressSanitizer. The failing test in arith.c was this one, introduced in d50d3d7c: got=$( typeset -r -A -i ro_arr=([a]=10 [b]=20 [c]=30) set +x for ((i=0; i<loopcount; i++)); do ( ((ro_arr[i+1] += 5)) ) done 2>&1 ) [[ $got == *recursion* ]] && err_exit "recursion level not reset on readonly error (subshell)"
2025-03-09 15:50:02 +00:00 · 2022-07-10 22:29:45 +02:00 · 2022-07-10 22:29:45 +02:00 · 6728720f8f
commit 6728720f8f
parent 7a01d6df47
1 changed files with 1 additions and 1 deletions
--- a/src/cmd/ksh93/sh/nvdisc.c
+++ b/src/cmd/ksh93/sh/nvdisc.c
@ -961,7 +961,7 @@ int nv_clone(Namval_t *np, Namval_t *mp, int flags)
 	}
 	else if((flags&NV_ARRAY) && !nv_isattr(np,NV_MINIMAL))
 		mp->nvenv = np->nvenv;
-	if(nv_isattr(np,NV_INTEGER) && mp->nvalue.ip!=np->nvalue.ip && np->nvalue.cp!=Empty)
+	if(nv_isattr(np,NV_INTEGER) && !nv_isarray(np) && mp->nvalue.ip!=np->nvalue.ip && np->nvalue.cp!=Empty)
 	{
 		mp->nvalue.ip = (int*)num_clone(np,(void*)np->nvalue.ip);
 		nv_offattr(mp,NV_NOFREE);