From bd88cc7f4f7207b48104e37cca90848adf5cb10c Mon Sep 17 00:00:00 2001
From: Johnothan King <johnothanking@protonmail.com>
Date: Sun, 19 Jul 2020 15:42:12 -0700
Subject: [PATCH] Fix two crashes related to kshdb (#82)

This commit fixes two different crashes related to kshdb:
- When redirect is given an invalid file descriptor, a segfault
  no longer occurs. Reproducer:
  $ ksh -c 'redirect 9>&200000000000'

- Fix a crash due to free(3) being used on an invalid pointer.
  This can be reproduced with kshdb (commands from att/ast#582):
  $ git clone https://github.com/rocky/kshdb.git
  $ cd kshdb
  $ ksh autogen.sh
  $ echo "print hi there" > $HOME/.kshdbrc
  $ ./kshdb -L . test/example/dbg-test1.sh

src/cmd/ksh93/bltins/misc.c: b_dot_cmd():
- The string pointed to by shp->st.filename must be able to be
  freed from memory with free(3), so duplicate the string with
  strdup(3).

src/cmd/ksh93/sh/io.c: sh_redirect():
- Show an error message when a file descriptor is invalid to
  fix a memory fault.
---
 NEWS                            | 7 +++++++
 src/cmd/ksh93/bltins/misc.c     | 2 +-
 src/cmd/ksh93/include/version.h | 2 +-
 src/cmd/ksh93/sh/io.c           | 2 +-
 src/cmd/ksh93/tests/io.sh       | 4 ++++
 5 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/NEWS b/NEWS
index b2bf5d4c0..7eee354e5 100644
--- a/NEWS
+++ b/NEWS
@@ -3,6 +3,13 @@ For full details, see the git log at: https://github.com/ksh93/ksh
 
 Any uppercase BUG_* names are modernish shell bug IDs.
 
+2020-07-19:
+
+- Fixed a crash that occured in the '.' command when using kshdb.
+
+- Fixed a crash that occured when attempting to use redirection with an
+  invalid file descriptor.
+
 2020-07-16:
 
 - The 'history' and 'r' default aliases have been made regular built-ins,
diff --git a/src/cmd/ksh93/bltins/misc.c b/src/cmd/ksh93/bltins/misc.c
index 250edd4ea..196c04c83 100644
--- a/src/cmd/ksh93/bltins/misc.c
+++ b/src/cmd/ksh93/bltins/misc.c
@@ -279,7 +279,7 @@ int    b_dot_cmd(register int n,char *argv[],Shbltin_t *context)
 	shp->topscope = (Shscope_t*)shp->st.self;
 	prevscope->save_tree = shp->var_tree;
 	if(np)
-		shp->st.filename = np->nvalue.rp->fname;
+		shp->st.filename = np->nvalue.rp->fname ? strdup(np->nvalue.rp->fname) : 0;
 	nv_putval(SH_PATHNAMENOD, shp->st.filename ,NV_NOFREE);
 	shp->posix_fun = 0;
 	if(np || argv[1])
diff --git a/src/cmd/ksh93/include/version.h b/src/cmd/ksh93/include/version.h
index 0c64b2f73..de71efe99 100644
--- a/src/cmd/ksh93/include/version.h
+++ b/src/cmd/ksh93/include/version.h
@@ -17,4 +17,4 @@
 *                  David Korn <dgk@research.att.com>                   *
 *                                                                      *
 ***********************************************************************/
-#define SH_RELEASE	"93u+m 2020-07-16"
+#define SH_RELEASE	"93u+m 2020-07-19"
diff --git a/src/cmd/ksh93/sh/io.c b/src/cmd/ksh93/sh/io.c
index 337b84531..04817c636 100644
--- a/src/cmd/ksh93/sh/io.c
+++ b/src/cmd/ksh93/sh/io.c
@@ -1194,7 +1194,7 @@ int	sh_redirect(Shell_t *shp,struct ionod *iop, int flag)
 						toclose = dupfd;
 						number++;
 					}
-					if(*number || dupfd > IOUFD)
+					if(*number || !sh_iovalidfd(shp,dupfd) || dupfd > IOUFD)
 					{
 						message = e_file;
 						goto fail;
diff --git a/src/cmd/ksh93/tests/io.sh b/src/cmd/ksh93/tests/io.sh
index fb86b45cd..bfb4b0600 100755
--- a/src/cmd/ksh93/tests/io.sh
+++ b/src/cmd/ksh93/tests/io.sh
@@ -563,5 +563,9 @@ result=$("$SHELL" -ic 'echo >(true) >/dev/null' 2>&1)
 "$SHELL" -c 'read -u-2000000' 2> /dev/null
 [[ $? == 1 ]] || err_exit "Negative file descriptors cause 'read -u' to crash"
 
+# An out of range fd shouldn't segfault with redirections
+"$SHELL" -c 'true 9>&20000000000000000000' 2> /dev/null
+[[ $? == 1 ]] || err_exit "Out of range file descriptors cause redirections to segfault"
+
 # ======
 exit $((Errors<125?Errors:125))