Hi, please find attached a patch fixing an off-by-one error found by one
of our customers.
Reproducer:
# su - testksh
$
$
$
$ function dlog
> {
> fc -ln -0
> }
$ trap dlog DEBUG
$ >/tmp/blah
...
Segmentation fault (core dumped)
----
In a nutshell, when the debug trap is set, with static int jobsaveid
being placed in memory after the
static char* argv[1] changed in the patch; the sh_trace() function tries
to cycle through argv, probably expecting a NULL-terminated array( which
is what the second argv element is for), instead reading
jobsaveid's value and reading on until it gets to memory the process
doesn't own.
Cheers,
Ondrej
--- ksh-20120801/src/cmd/ksh93/sh/xec.c.arraylen 2015-04-02 10:55:26.228017873 -0400
+++ ksh-20120801/src/cmd/ksh93/sh/xec.c 2015-04-02 10:56:04.099017700 -0400
@@ -1234,7 +1234,7 @@ int sh_exec(register const Shnode_t *t,
if((io||argn))
{
Shbltin_t *bp=0;
- static char *argv[1];
+ static char *argv[2];
int tflags = 1;
if(np && nv_isattr(np,BLT_DCL))
tflags |= 2;
_______________________________________________
ast-developers mailing list
[email protected]
http://lists.research.att.com/mailman/listinfo/ast-developers
