Fix crash due to double free() when sourcing multiple files

There is a bug in sh_eval() that may cause ksh to crash due to a double free() after sourcing multiple files with '.' or 'source' if a longjmp is triggered, e.g. by a syntax error. This applies a fix from Siteshwar Vashist: https://www.mail-archive.com/ast-developers@lists.research.att.com/msg01943.html src/cmd/ksh93/sh/xec.c: sh_eval(): - Zero file descriptor io_save after closing it. This prevents a double free() after returning from a longjmp. src/cmd/ksh93/tests/basic.sh: - Add reproducer as regression test.
ksh93 · Jul 9, 2020 · a8f6d6b · a8f6d6b
1 parent ae92cd8
commit a8f6d6b
Show file tree

Hide file tree

Showing 4 changed files with 38 additions and 1 deletion.
diff --git a/NEWS b/NEWS
@@ -3,6 +3,10 @@ For full details, see the git log at: https://github.com/ksh93/ksh
 
 Any uppercase BUG_* names are modernish shell bug IDs.
 
+2020-07-09:
+
+- Fixed a crash on syntax error when sourcing/dotting multiple files.
+
 2020-07-07:
 
 - Four of the date formats accepted by 'printf %()T' have had their

diff --git a/src/cmd/ksh93/include/version.h b/src/cmd/ksh93/include/version.h
@@ -17,4 +17,4 @@
 *                  David Korn <dgk@research.att.com>                   *
 *                                                                      *
 ***********************************************************************/
-#define SH_RELEASE	"93u+m 2020-07-07"
+#define SH_RELEASE	"93u+m 2020-07-09"
diff --git a/src/cmd/ksh93/sh/xec.c b/src/cmd/ksh93/sh/xec.c
@@ -624,7 +624,11 @@ int sh_eval(register Sfio_t *iop, int mode)
 	if(lineno)
 		shp->inlineno = lineno;
 	if(io_save)
+	{
 		sfclose(io_save);
+		io_save = 0;
+	}
+
 	sh_freeup(shp);
 	shp->st.staklist = saveslp;
 	shp->fn_reset = 0;

diff --git a/src/cmd/ksh93/tests/basic.sh b/src/cmd/ksh93/tests/basic.sh
@@ -524,4 +524,33 @@ $SHELL -xc '$(LD_LIBRARY_PATH=$LD_LIBRARY_PATH exec $SHELL -c :)' > /dev/null 2>
 
 $SHELL 2> /dev/null -c $'for i;\ndo :;done' || err_exit 'for i ; <newline> not vaid'
 
+# ======
+# Crash on syntax error when dotting/sourcing multiple files
+# Ref.: https://www.mail-archive.com/ast-developers@lists.research.att.com/msg01943.html
+(
+	mkdir "$tmp/dotcrash" || exit
+	cd "$tmp/dotcrash" || exit
+	cat >functions.ksh <<-EOF
+		function f1
+		{
+			echo "f1"
+		}
+		function f2
+		{
+			if	[[ $1 -eq 1 ]]:  # deliberate syntax error
+			then	echo "f2"
+			fi
+		}
+	EOF
+	cat >sub1.ksh <<-EOF
+		. ./functions.ksh
+		echo "sub1" >tmp.out
+	EOF
+	cat >main.ksh <<-EOF
+		. ./sub1.ksh
+	EOF
+	"$SHELL" main.ksh 2>/dev/null
+) || err_exit "crash when sourcing multiple files (exit status $?)"
+
+# ======
 exit $((Errors<125?Errors:125))