From 461a1aebc1eb8597f1a1ec6cd2b9e3d6d150d156 Mon Sep 17 00:00:00 2001
From: Martijn Dekker <martijn@inlv.org>
Date: Tue, 15 Sep 2020 23:39:54 +0200
Subject: [PATCH] Fix memory leak in typeset (rhbz#1036470)

A memory leak occurred when typeset was used in a function called
from within a command substitution. This fix was backported from
the 93v- beta by Red Hat on 22 Jan 2014. Source:
https://src.fedoraproject.org/rpms/ksh/blob/642af4d6/f/ksh-20120801-memlik3.patch

src/cmd/ksh93/include/name.h,
src/cmd/ksh93/sh/subshell.c:
- Replace the nv_subsaved() function by the version from ksh 93v-.
  This version frees a table from memory if the NV_TABLE flag is
  passed in the new second parameter, a bitmask for flags (which
  was oddly named 'table'; I've renamed it to 'flags').

src/cmd/ksh93/sh/name.c:
- nv_delete(): When calling nv_subsaved(), pass on the NV_TABLE
  flag if given.
- table_unset(): Call nv_delete() with the NV_TABLE flag.

src/cmd/ksh93/tests/leaks.sh:
- Add test based on the reproducer provided in Red Hat bug 1036470.
---
 src/cmd/ksh93/include/name.h |  2 +-
 src/cmd/ksh93/sh/name.c      |  6 +++---
 src/cmd/ksh93/sh/subshell.c  | 18 +++++++++++++++---
 src/cmd/ksh93/tests/leaks.sh | 18 ++++++++++++++++++
 4 files changed, 37 insertions(+), 7 deletions(-)

diff --git a/src/cmd/ksh93/include/name.h b/src/cmd/ksh93/include/name.h
index 697809488..d75ef67d5 100644
--- a/src/cmd/ksh93/include/name.h
+++ b/src/cmd/ksh93/include/name.h
@@ -217,7 +217,7 @@ extern Namval_t		*nv_mount(Namval_t*, const char *name, Dt_t*);
 extern Namval_t		*nv_arraychild(Namval_t*, Namval_t*, int);
 extern int		nv_compare(Dt_t*, Void_t*, Void_t*, Dtdisc_t*);
 extern void		nv_outnode(Namval_t*,Sfio_t*, int, int);
-extern int		nv_subsaved(Namval_t*);
+extern int		nv_subsaved(Namval_t*, int);
 extern void		nv_typename(Namval_t*, Sfio_t*);
 extern void		nv_newtype(Namval_t*);
 extern int		nv_istable(Namval_t*);
diff --git a/src/cmd/ksh93/sh/name.c b/src/cmd/ksh93/sh/name.c
index e2f5de88f..2a0c2163d 100644
--- a/src/cmd/ksh93/sh/name.c
+++ b/src/cmd/ksh93/sh/name.c
@@ -1259,7 +1259,7 @@ void nv_delete(Namval_t* np, Dt_t *root, int flags)
 	{
 		if(dtdelete(root,np))
 		{
-			if(!(flags&NV_NOFREE) && ((flags&NV_FUNCTION) || !nv_subsaved(np)))
+			if(!(flags&NV_NOFREE) && ((flags&NV_FUNCTION) || !nv_subsaved(np,flags&NV_TABLE)))
 			{
 				Namarr_t *ap;
 				if(nv_isarray(np) && np->nvfun && (ap=nv_arrayptr(np)) && array_assoc(ap))
@@ -2400,14 +2400,14 @@ static void table_unset(Shell_t *shp, register Dt_t *root, int flags, Dt_t *oroo
 			{
 				_nv_unset(nq,flags);
 				npnext = (Namval_t*)dtnext(root,nq);
-				nv_delete(nq,root,0);
+				nv_delete(nq,root,NV_TABLE);
 			}
 		}
 		npnext = (Namval_t*)dtnext(root,np);
 		if(nv_arrayptr(np))
 			nv_putsub(np,NIL(char*),ARRAY_SCAN);
 		_nv_unset(np,flags);
-		nv_delete(np,root,0);
+		nv_delete(np,root,NV_TABLE);
 	}
 }
 
diff --git a/src/cmd/ksh93/sh/subshell.c b/src/cmd/ksh93/sh/subshell.c
index b74b00430..9a6993cc6 100644
--- a/src/cmd/ksh93/sh/subshell.c
+++ b/src/cmd/ksh93/sh/subshell.c
@@ -211,16 +211,28 @@ void sh_subfork(void)
 	}
 }
 
-int nv_subsaved(register Namval_t *np)
+int nv_subsaved(register Namval_t *np, int flags)
 {
 	register struct subshell	*sp;
-	register struct Link		*lp;
+	register struct Link		*lp, *lpprev;
 	for(sp = (struct subshell*)subshell_data; sp; sp=sp->prev)
 	{
-		for(lp=sp->svar; lp; lp = lp->next)
+		lpprev = 0;
+		for(lp=sp->svar; lp; lpprev=lp, lp=lp->next)
 		{
 			if(lp->node==np)
+			{
+				if(flags&NV_TABLE)
+				{
+					if(lpprev)
+						lpprev->next = lp->next;
+					else
+						sp->svar = lp->next;
+					free((void*)np);
+					free((void*)lp);
+				}
 				return(1);
+			}
 		}
 	}
 	return(0);
diff --git a/src/cmd/ksh93/tests/leaks.sh b/src/cmd/ksh93/tests/leaks.sh
index 0ea4795fd..6db3ad630 100755
--- a/src/cmd/ksh93/tests/leaks.sh
+++ b/src/cmd/ksh93/tests/leaks.sh
@@ -228,5 +228,23 @@ err_exit_if_leak 'indexed array in function'
 
 LANG=$saveLANG		# comment out to test remaining leak (2/2)
 
+# ======
+# Memory leak in typeset (Red Hat #1036470)
+# Fix based on: https://src.fedoraproject.org/rpms/ksh/blob/642af4d6/f/ksh-20120801-memlik3.patch
+# The fix was backported from ksh 93v- beta.
+
+function myFunction
+{
+	typeset toPrint="something"
+	echo "${toPrint}"
+}
+state=$(myFunction)
+before=$(getmem)
+for ((i=0; i < N; i++))
+do	state=$(myFunction)
+done
+after=$(getmem)
+err_exit_if_leak 'typeset in function called by command substitution'
+
 # ======
 exit $((Errors<125?Errors:125))