Fix two crashes related to kshdb (#82)

This commit fixes two different crashes related to kshdb: - When redirect is given an invalid file descriptor, a segfault no longer occurs. Reproducer: $ ksh -c 'redirect 9>&200000000000' - Fix a crash due to free(3) being used on an invalid pointer. This can be reproduced with kshdb (commands from att/ast#582): $ git clone https://github.com/rocky/kshdb.git $ cd kshdb $ ksh autogen.sh $ echo "print hi there" > $HOME/.kshdbrc $ ./kshdb -L . test/example/dbg-test1.sh src/cmd/ksh93/bltins/misc.c: b_dot_cmd(): - The string pointed to by shp->st.filename must be able to be freed from memory with free(3), so duplicate the string with strdup(3). src/cmd/ksh93/sh/io.c: sh_redirect(): - Show an error message when a file descriptor is invalid to fix a memory fault.
2025-02-13 03:32:24 +00:00 · 2020-07-19 15:42:12 -07:00 · 2020-07-19 15:42:12 -07:00 · bd88cc7f4f
commit bd88cc7f4f
parent 36f55f1f85
5 changed files with 14 additions and 3 deletions
--- a/7
+++ b/7
@ -3,6 +3,13 @@ For full details, see the git log at: https://github.com/ksh93/ksh

 Any uppercase BUG_* names are modernish shell bug IDs.

+2020-07-19:
+
+- Fixed a crash that occured in the '.' command when using kshdb.
+
+- Fixed a crash that occured when attempting to use redirection with an
+  invalid file descriptor.
+
 2020-07-16:

 - The 'history' and 'r' default aliases have been made regular built-ins,
--- a/src/cmd/ksh93/bltins/misc.c
+++ b/src/cmd/ksh93/bltins/misc.c
@ -279,7 +279,7 @@ int    b_dot_cmd(register int n,char *argv[],Shbltin_t *context)
 	shp->topscope = (Shscope_t*)shp->st.self;
 	prevscope->save_tree = shp->var_tree;
 	if(np)
-		shp->st.filename = np->nvalue.rp->fname;
+		shp->st.filename = np->nvalue.rp->fname ? strdup(np->nvalue.rp->fname) : 0;
 	nv_putval(SH_PATHNAMENOD, shp->st.filename ,NV_NOFREE);
 	shp->posix_fun = 0;
 	if(np || argv[1])
--- a/src/cmd/ksh93/include/version.h
+++ b/src/cmd/ksh93/include/version.h
@ -17,4 +17,4 @@
 *                  David Korn <dgk@research.att.com>                   *
 *                                                                      *
 ***********************************************************************/
-#define SH_RELEASE	"93u+m 2020-07-16"
+#define SH_RELEASE	"93u+m 2020-07-19"
--- a/src/cmd/ksh93/sh/io.c
+++ b/src/cmd/ksh93/sh/io.c
@ -1194,7 +1194,7 @@ int	sh_redirect(Shell_t *shp,struct ionod *iop, int flag)
 						toclose = dupfd;
 						number++;
 					}
-					if(*number || dupfd > IOUFD)
+					if(*number || !sh_iovalidfd(shp,dupfd) || dupfd > IOUFD)
 					{
 						message = e_file;
 						goto fail;
--- a/src/cmd/ksh93/tests/io.sh
+++ b/src/cmd/ksh93/tests/io.sh
@ -563,5 +563,9 @@ result=$("$SHELL" -ic 'echo >(true) >/dev/null' 2>&1)
 "$SHELL" -c 'read -u-2000000' 2> /dev/null
 [[ $? == 1 ]] || err_exit "Negative file descriptors cause 'read -u' to crash"

+# An out of range fd shouldn't segfault with redirections
+"$SHELL" -c 'true 9>&20000000000000000000' 2> /dev/null
+[[ $? == 1 ]] || err_exit "Out of range file descriptors cause redirections to segfault"
+
 # ======
 exit $((Errors<125?Errors:125))