f24040ee45
The referenced commit introduced the NIL (NULL) assignment in: stakdelete(slpold->slptr); slpold->slptr = NIL(Stak_t*); First the stack is closed/freed with stakdelete() a.k.a. stkclose(), then its pointer is reset. Looks correct, right? Wrong: slpold may itself be in the allocated region that slpold->slptr points to. That's because we're dealing with a linked list of stacks, in which a pointer on each stack points to the next stack. So there are scenarios in which, after the stakdelete() call, dereferencing slpold is a use after free. Most systems quietly tolerate this use after free. But, according to @JohnoKing's testing, this bug was causing 23 crashes in the regression tests after compiling ksh with AddressSanitizer enabled. src/cmd/ksh93/sh/parse.c: sh_funstaks(): - Save the value of slpold->slptr and reset that pointer before calling stakdelete() a.k.a. stkclose(). Resolves: https://github.com/ksh93/ksh/issues/517 |
||
|---|---|---|
| .. | ||
| INIT | ||
| builtin | ||
| ksh93 | ||
| Mamfile | ||