Array 'argv[0]' accessed at index -1, which is out of bounds

[krader1961]

I ran bin/lint --all recently after upgrading the software on my system including cppcheck which now reports these warnings:

[src/cmd/ksh93/sh/xec.c:2675] error (negativeIndex):
 Array 'argv[0]' accessed at index -1, which is out of bounds.
[src/cmd/ksh93/sh/xec.c:2676] error (negativeIndex):
 Array 'argv[0]' accessed at index -1, which is out of bounds.
[src/cmd/ksh93/sh/xec.c:2685] error (negativeIndex):
 Array 'argv[0]' accessed at index -1, which is out of bounds.

This is the block of code in question:

ast/src/cmd/ksh93/sh/xec.c

Lines 2671 to 2685 in 4503830

	if (nv_isattr(np, NV_FPOSIX) && !sh_isoption(shp, SH_BASH)) {
	char *save;
	int loopcnt = shp->st.loopcnt;
	shp->posix_fun = np;
	save = argv[-1];
	argv[-1] = 0;
	shp->st.funname = nv_name(np);
	shp->last_root = nv_dict(VAR_sh);
	nv_putval(VAR_sh_fun, nv_name(np), NV_NOFREE);
	opt_info.index = opt_info.offset = 0;
	error_info.errors = 0;
	shp->st.loopcnt = 0;
	b_source(argn + 1, argv - 1, &shp->bltindata);
	shp->st.loopcnt = loopcnt;
	argv[-1] = save;

This is probably the worst bogosity I've yet encountered in this project. In case it isn't obvious the code is modifying a random word that precedes the argv[] array. That word is unrelated to the contents of argv[]. It could even be in a different page of memory and that page might not even be mapped (which would cause a SIGSEGV). The word being temporarily modified could theoretically be accessed by any of the functions called between modifying and restoring the word of memory. This is another case of someone being too clever by half. The entire point of this code is to pass a single non-option argument to b_source().