Fix for memory mgmt in variable expansion (Solaris 105-CR7032068)

This upstreams a Solaris patch:
https://github.com/oracle/solaris-userland/blob/master/components/ksh93/patches/105-CR7032068.patch

No other information is publicly available but this has been in
production use on Solaris for a long time. It looks like this is
intended to avoid an invalid free().

Author: McDutchie

src/cmd/ksh93/sh/macro.c

@@ -1071,7 +1071,7 @@ static int varsub(Mac_t *mp)
 {
 	register int	c;
 	register int	type=0; /* M_xxx */
-	register char	*v,*argp=0;
+	register char	*v, *new_v=0, *argp=0;
 	register Namval_t	*np = NIL(Namval_t*);
 	register int 	dolg=0, mode=0;
 	Lex_t		*lp = (Lex_t*)mp->shp->lex_context;
@@ -1450,6 +1450,7 @@ static int varsub(Mac_t *mp)
 				if((mp->let || (mp->arith&&nv_isattr(np,(NV_LJUST|NV_RJUST|NV_ZFILL)))) && !nv_isattr(np,NV_INTEGER) && (offset==0 || isspace(c) || strchr(",.+-*/=%&|^?!<>",c)))
 					mp->zeros = 1;
 			}
+			new_v = v = strdup(v);
 			if(savptr==stakptr(0))
 				stkseek(stkp,offset);
 			else
@@ -2018,6 +2019,8 @@ static int varsub(Mac_t *mp)
 	}
 	if(np)
 		nv_close(np);
+	if(new_v)
+		free(new_v);
 	if(pattern)
 		free(pattern);
 	if(repstr)
@@ -2026,6 +2029,8 @@ static int varsub(Mac_t *mp)
 		free(idx);
 	return(1);
 nosub:
+	if(new_v)
+		free(new_v);
 	if(type==M_BRACE && sh_lexstates[ST_NORM][c]==S_BREAK)
 	{
 		fcseek(-1);