From a8f6d6b842c12bfcf2f69cb0301137b263c03895 Mon Sep 17 00:00:00 2001
From: Martijn Dekker <martijn@inlv.org>
Date: Thu, 9 Jul 2020 15:09:52 +0100
Subject: [PATCH] Fix crash due to double free() when sourcing multiple files

There is a bug in sh_eval() that may cause ksh to crash due to a
double free() after sourcing multiple files with '.' or 'source'
if a longjmp is triggered, e.g. by a syntax error.

This applies a fix from Siteshwar Vashist:
https://www.mail-archive.com/ast-developers@lists.research.att.com/msg01943.html

src/cmd/ksh93/sh/xec.c: sh_eval():
- Zero file descriptor io_save after closing it. This prevents a
  double free() after returning from a longjmp.

src/cmd/ksh93/tests/basic.sh:
- Add reproducer as regression test.
---
 NEWS                            |  4 ++++
 src/cmd/ksh93/include/version.h |  2 +-
 src/cmd/ksh93/sh/xec.c          |  4 ++++
 src/cmd/ksh93/tests/basic.sh    | 29 +++++++++++++++++++++++++++++
 4 files changed, 38 insertions(+), 1 deletion(-)

diff --git a/NEWS b/NEWS
index 66099f6ef..d6b2ce4b5 100644
--- a/NEWS
+++ b/NEWS
@@ -3,6 +3,10 @@ For full details, see the git log at: https://github.com/ksh93/ksh
 
 Any uppercase BUG_* names are modernish shell bug IDs.
 
+2020-07-09:
+
+- Fixed a crash on syntax error when sourcing/dotting multiple files.
+
 2020-07-07:
 
 - Four of the date formats accepted by 'printf %()T' have had their
diff --git a/src/cmd/ksh93/include/version.h b/src/cmd/ksh93/include/version.h
index 394dc9257..f172acf12 100644
--- a/src/cmd/ksh93/include/version.h
+++ b/src/cmd/ksh93/include/version.h
@@ -17,4 +17,4 @@
 *                  David Korn <dgk@research.att.com>                   *
 *                                                                      *
 ***********************************************************************/
-#define SH_RELEASE	"93u+m 2020-07-07"
+#define SH_RELEASE	"93u+m 2020-07-09"
diff --git a/src/cmd/ksh93/sh/xec.c b/src/cmd/ksh93/sh/xec.c
index cfde49b29..13b22cac3 100644
--- a/src/cmd/ksh93/sh/xec.c
+++ b/src/cmd/ksh93/sh/xec.c
@@ -624,7 +624,11 @@ int sh_eval(register Sfio_t *iop, int mode)
 	if(lineno)
 		shp->inlineno = lineno;
 	if(io_save)
+	{
 		sfclose(io_save);
+		io_save = 0;
+	}
+
 	sh_freeup(shp);
 	shp->st.staklist = saveslp;
 	shp->fn_reset = 0;
diff --git a/src/cmd/ksh93/tests/basic.sh b/src/cmd/ksh93/tests/basic.sh
index 515dfb28d..2adb2a968 100755
--- a/src/cmd/ksh93/tests/basic.sh
+++ b/src/cmd/ksh93/tests/basic.sh
@@ -524,4 +524,33 @@ $SHELL -xc '$(LD_LIBRARY_PATH=$LD_LIBRARY_PATH exec $SHELL -c :)' > /dev/null 2>
 
 $SHELL 2> /dev/null -c $'for i;\ndo :;done' || err_exit 'for i ; <newline> not vaid'
 
+# ======
+# Crash on syntax error when dotting/sourcing multiple files
+# Ref.: https://www.mail-archive.com/ast-developers@lists.research.att.com/msg01943.html
+(
+	mkdir "$tmp/dotcrash" || exit
+	cd "$tmp/dotcrash" || exit
+	cat >functions.ksh <<-EOF
+		function f1
+		{
+			echo "f1"
+		}
+		function f2
+		{
+			if	[[ $1 -eq 1 ]]:  # deliberate syntax error
+			then	echo "f2"
+			fi
+		}
+	EOF
+	cat >sub1.ksh <<-EOF
+		. ./functions.ksh
+		echo "sub1" >tmp.out
+	EOF
+	cat >main.ksh <<-EOF
+		. ./sub1.ksh
+	EOF
+	"$SHELL" main.ksh 2>/dev/null
+) || err_exit "crash when sourcing multiple files (exit status $?)"
+
+# ======
 exit $((Errors<125?Errors:125))