lex.c: prevent restoring outdated stack pointer

Lexical levels are stored in a dynamically grown array of int values grown by the stack_grow function. The pointer lex_match and the maximum index lex_max are part of the lexer state struct that is now saved and restored in various places -- see e.g. 37044047, a2bc49be. If the stack needs to be grown, it is reallocated in stack_grow() using sh_realloc(). If that happens between saving and restoring the lexer state, then an outdated pointer is restored, and crash. src/cmd/ksh93/include/shlex.h, src/cmd/ksh93/sh/lex.c: - Take lex_match and lex_max out of the lexer state struct and make them separate static variables. src/cmd/ksh93/edit/edit.c: - While we're at it, save and restore the lexer state in a way that is saner than the 93v- beta approach (re: 37044047) as well as more readable. Instead of permanently allocating memory, use a local variable to save the struct. Save/restore directly around the sh_trap() call that actually needs this done. Resolves: https://github.com/ksh93/ksh/issues/482
2025-03-09 15:50:02 +00:00 · 2022-06-23 02:56:18 +01:00 · 2022-06-23 02:56:18 +01:00 · da97587e9e
commit da97587e9e
parent d8dc2a1d81
4 changed files with 17 additions and 20 deletions
--- a/src/cmd/ksh93/edit/edit.c
+++ b/src/cmd/ksh93/edit/edit.c
@ -50,7 +50,6 @@

 static char CURSOR_UP[20] = { ESC, '[', 'A', 0 };
 static char KILL_LINE[20] = { ESC, '[', 'J', 0 };
-static Lex_t *savelex;


 #if SHOPT_MULTIBYTE
@ -219,8 +218,6 @@ int tty_set(int fd, int action, struct termios *tty)
 void tty_cooked(register int fd)
 {
 	register Edit_t *ep = (Edit_t*)(sh.ed_context);
-	if(sh.st.trap[SH_KEYTRAP] && savelex)
-		memcpy(sh.lex_context,savelex,sizeof(Lex_t));
 	ep->e_keytrap = 0;
 	if(ep->e_raw==0)
 		return;
@ -842,12 +839,6 @@ void	ed_setup(register Edit_t *ep, int fd, int reedit)
 			ep->e_lbuf[n] = *pp++;
 		ep->e_default = 0;
 	}
-	if(sh.st.trap[SH_KEYTRAP])
-	{
-		if(!savelex)
-			savelex = (Lex_t*)sh_malloc(sizeof(Lex_t));
-		memcpy(savelex, sh.lex_context, sizeof(Lex_t));
-	}
 }
 #endif /* SHOPT_ESH || SHOPT_VSH */

@ -1637,6 +1628,7 @@ static int keytrap(Edit_t *ep,char *inbuff,register int insize, int bufsize, int
 {
 	register char *cp;
 	int savexit;
+	Lex_t *lexp = (Lex_t*)sh.lex_context, savelex;
 #if SHOPT_MULTIBYTE
 	char buff[MAXLINE];
 	ed_external(ep->e_inbuf,cp=buff);
@ -1657,7 +1649,9 @@ static int keytrap(Edit_t *ep,char *inbuff,register int insize, int bufsize, int
 	nv_putval(ED_TXTNOD,(char*)cp,NV_NOFREE);
 	nv_putval(ED_MODENOD,ep->e_vi_insert,NV_NOFREE);
 	savexit = sh.savexit;
+	savelex = *lexp;
 	sh_trap(sh.st.trap[SH_KEYTRAP],0);
+	*lexp = savelex;
 	sh.savexit = savexit;
 	if((cp = nv_getval(ED_CHRNOD)) == inbuff)
 		nv_unset(ED_CHRNOD);