Fix segfault while updating ${.sh.match}

The SHOPT_2DMATCH code block in sh_setmatch() modifies the 'ap' pointer, which is initialised as nv_arrayptr(SH_MATCHNOD). This caused a (rarely occurring) segfault in the following line near the end of the function: ap->nelem -= x; as this line assumed that 'ap' still had the initial value. src/cmd/ksh93/sh/init.c: sh_setmatch(): - On init, save ap in ap_save and use ap_save instead of ap where it should be pointing to SH_MATCHNOD. This also allows removing two redundant nv_arrayptr(SH_MATCHNOD) calls, slightly increasing the efficiency of this function.
2025-03-09 15:50:02 +00:00 · 2021-01-07 17:34:47 +00:00 · 2021-01-07 17:34:47 +00:00 · a95d107ee5
commit a95d107ee5
parent f2c84ee202
3 changed files with 9 additions and 6 deletions
--- a/4
+++ b/4
@ -3,6 +3,10 @@ For full details, see the git log at: https://github.com/ksh93/ksh

 Any uppercase BUG_* names are modernish shell bug IDs.

+2021-01-07:
+
+- Fixed a crash that could occur while ksh updated ${.sh.match}.
+
 2021-01-05:

 - Fixed a bug in 'cd' that caused 'cd ./foo' to search for 'foo' in $CDPATH.
--- a/src/cmd/ksh93/include/version.h
+++ b/src/cmd/ksh93/include/version.h
@ -20,7 +20,7 @@

 #define SH_RELEASE_FORK	"93u+m"		/* only change if you develop a new ksh93 fork */
 #define SH_RELEASE_SVER	"1.0.0-alpha"	/* semantic version number: https://semver.org */
-#define SH_RELEASE_DATE	"2021-01-05"	/* must be in this format for $((.sh.version)) */
+#define SH_RELEASE_DATE	"2021-01-07"	/* must be in this format for $((.sh.version)) */

 /* Scripts sometimes field-split ${.sh.version}, so don't change amount of whitespace. */
 /* Arithmetic $((.sh.version)) uses the last 10 chars, so the date must be at the end. */
--- a/src/cmd/ksh93/sh/init.c
+++ b/src/cmd/ksh93/sh/init.c
@ -725,6 +725,7 @@ void sh_setmatch(Shell_t *shp,const char *v, int vsize, int nmatch, regoff_t mat
 	register int	i,n,x;
 	unsigned int	savesub = shp->subshell;
 	Namarr_t	*ap = nv_arrayptr(SH_MATCHNOD);
+	Namarr_t	*ap_save = ap;
 	shp->subshell = 0;
 #ifndef SHOPT_2DMATCH
 	index = 0;
@ -754,8 +755,7 @@ void sh_setmatch(Shell_t *shp,const char *v, int vsize, int nmatch, regoff_t mat
 			nv_disc(SH_MATCHNOD,&mp->hdr,NV_LAST);
 		if(nmatch)
 			nv_putsub(SH_MATCHNOD, NIL(char*), (nmatch-1)|ARRAY_FILL|ARRAY_SETSUB);
-		ap = nv_arrayptr(SH_MATCHNOD);
-		ap->nelem = mp->nmatch = nmatch;
+		ap_save->nelem = mp->nmatch = nmatch;
 		mp->v = v;
 		mp->first = match[0];
 	}
@ -773,8 +773,7 @@ void sh_setmatch(Shell_t *shp,const char *v, int vsize, int nmatch, regoff_t mat
 				nv_putsub(SH_MATCHNOD, (char*)0, i);
 				nv_arraychild(SH_MATCHNOD, np,0);
 			}
-			if(ap = nv_arrayptr(SH_MATCHNOD))
-				ap->nelem = mp->nmatch;
+			ap_save->nelem = mp->nmatch;
 		}
 		ap = nv_arrayptr(np);
 		nv_putsub(np, NIL(char*), index|ARRAY_FILL|ARRAY_SETSUB);
@ -808,7 +807,7 @@ void sh_setmatch(Shell_t *shp,const char *v, int vsize, int nmatch, regoff_t mat
 				x=1;

 		}
-		ap->nelem -= x;
+		ap_save->nelem -= x;
 		while(i < 2*mp->nmatch)
 			mp->match[index+i++] = -1;
 		memcpy(mp->val,v+n,vsize);