From 6728720f8fdb8e474d94486ba2a4c1f4972a75cb Mon Sep 17 00:00:00 2001 From: Martijn Dekker Date: Sun, 10 Jul 2022 22:29:45 +0200 Subject: [PATCH] nv_clone(): don't call num_clone() for array nodes num_clone handles simple numeric values of all types but not array nodes. Calling it for an array node caused the arith.sh regression test below to crash in num_clone() with a buffer overflow when ksh is compiled with AddressSanitizer. The array has the NV_INTEGER attribute because it is an array of numeric values, but that doesn't mean the array node itself holds a number. After this, all the arith.sh tests pass with AddressSanitizer. The failing test in arith.c was this one, introduced in d50d3d7c: got=$( typeset -r -A -i ro_arr=([a]=10 [b]=20 [c]=30) set +x for ((i=0; i&1 ) [[ $got == *recursion* ]] && err_exit "recursion level not reset on readonly error (subshell)" --- src/cmd/ksh93/sh/nvdisc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/cmd/ksh93/sh/nvdisc.c b/src/cmd/ksh93/sh/nvdisc.c index f4c5a02f2..d53a434fb 100644 --- a/src/cmd/ksh93/sh/nvdisc.c +++ b/src/cmd/ksh93/sh/nvdisc.c @@ -961,7 +961,7 @@ int nv_clone(Namval_t *np, Namval_t *mp, int flags) } else if((flags&NV_ARRAY) && !nv_isattr(np,NV_MINIMAL)) mp->nvenv = np->nvenv; - if(nv_isattr(np,NV_INTEGER) && mp->nvalue.ip!=np->nvalue.ip && np->nvalue.cp!=Empty) + if(nv_isattr(np,NV_INTEGER) && !nv_isarray(np) && mp->nvalue.ip!=np->nvalue.ip && np->nvalue.cp!=Empty) { mp->nvalue.ip = (int*)num_clone(np,(void*)np->nvalue.ip); nv_offattr(mp,NV_NOFREE);