Package: ksh
Version: 93u+20120801-3.1
The sh_syntax() function in lex.c does the following:
char tokbuf[3];
/* ... */
tokstr = fmttoken(lp,tok,tokbuf);
But the fmttoken() function can write more than 3 bytes to the supplied
buffer. For example, here it writes 4 bytes ("<>;" + terminating null
byte):
$ ksh -n -c 'for<>;'
ksh: warning: line 1: use space or tab to separate operators < and
ksh: syntax error at line 1: `<>;' unexpected
Found using American Fuzzy Lop:
http://lcamtuf.coredump.cx/afl/
-- System Information:
Architecture: i386
Versions of packages ksh depends on:
ii libc6 2.24-17
ii binfmt-support 2.1.8-1
--
Jakub Wilk