From ca7a49ba086c1dc86138c749422c37e313c0be66 Mon Sep 17 00:00:00 2001 From: Siteshwar Vashisht Date: Aug 29 2017 16:10:11 +0000 Subject: Fix a memory corruption Resolves: #1464409 --- diff --git a/ksh-20120801-sh_iovalidfd.patch b/ksh-20120801-sh_iovalidfd.patch new file mode 100644 index 0000000..bdd9154 --- /dev/null +++ b/ksh-20120801-sh_iovalidfd.patch @@ -0,0 +1,79 @@ +diff --git a/src/cmd/ksh93/include/io.h b/src/cmd/ksh93/include/io.h +--- a/src/cmd/ksh93/include/io.h ++++ b/src/cmd/ksh93/include/io.h +@@ -79,7 +79,7 @@ extern Sfio_t *sh_iostream(Shell_t*,int); + extern int sh_redirect(Shell_t*,struct ionod*,int); + extern void sh_iosave(Shell_t *, int,int,char*); + extern int safefdnumber(Shell_t* shp, int sfd); +-extern int sh_iovalidfd(Shell_t*, int); ++extern bool sh_iovalidfd(Shell_t*, int); + extern int sh_inuse(Shell_t*, int); + extern void sh_iounsave(Shell_t*); + extern void iounpipe(Shell_t*); +diff --git a/src/cmd/ksh93/sh/io.c b/src/cmd/ksh93/sh/io.c +--- a/src/cmd/ksh93/sh/io.c ++++ b/src/cmd/ksh93/sh/io.c +@@ -403,38 +403,50 @@ static short filemapsize; + + /* ======== input output and file copying ======== */ + +-int sh_iovalidfd(Shell_t *shp, int fd) ++bool sh_iovalidfd(Shell_t *shp, int fd) + { + Sfio_t **sftable = shp->sftable; + int max,n, **fdptrs = shp->fdptrs; + unsigned char *fdstatus = shp->fdstatus; + if(fd<0) +- return(0); ++ return(false); + if(fd < shp->gd->lim.open_max) +- return(1); ++ return(true); + max = strtol(astconf("OPEN_MAX",NiL,NiL),NiL,0); + if(fd >= max) + { + errno = EBADF; +- return(0); ++ return(false); + } + n = (fd+16)&~0xf; +- if(n > max) +- n = max; ++ if(n++ > max) ++ n = max+1; + max = shp->gd->lim.open_max; +- shp->sftable = (Sfio_t**)calloc((n+1)*(sizeof(int*)+sizeof(Sfio_t*)+1),1); +- if(max) +- memcpy(shp->sftable,sftable,max*sizeof(Sfio_t*)); ++ shp->sftable = (Sfio_t**)calloc((n+1)*(sizeof(int*)+sizeof(Sfio_t*)+sizeof(*fdstatus)),1); ++ ++ if(sftable) ++ { ++ --sftable; ++ if(max) ++ memcpy(shp->sftable,sftable,++max*sizeof(Sfio_t*)); ++ ++ } ++ + shp->fdptrs = (int**)(&shp->sftable[n]); + if(max) +- memcpy(shp->fdptrs,fdptrs,max*sizeof(int*)); ++ memcpy(shp->fdptrs,--fdptrs,max*sizeof(int*)); + shp->fdstatus = (unsigned char*)(&shp->fdptrs[n]); + if(max) +- memcpy(shp->fdstatus,fdstatus,max); ++ memcpy(shp->fdstatus,--fdstatus,max); ++ + if(sftable) + free((void*)sftable); +- shp->gd->lim.open_max = n; +- return(1); ++ ++ shp->sftable++; ++ shp->fdptrs++; ++ shp->fdstatus++; ++ shp->gd->lim.open_max = n-1; ++ return(true); + } + + int sh_inuse(Shell_t *shp, int fd) diff --git a/ksh.spec b/ksh.spec index 45562a1..d3fd3af 100644 --- a/ksh.spec +++ b/ksh.spec @@ -8,7 +8,7 @@ URL: http://www.kornshell.com/ #CPL everywhere else (for KSH itself) License: CPL Version: %{releasedate} -Release: 41%{?dist} +Release: 42%{?dist} Source0: http://www.research.att.com/~gsf/download/tgz/ast-ksh.%{release_date}.tgz Source1: http://www.research.att.com/~gsf/download/tgz/INIT.%{release_date}.tgz Source2: kshcomp.conf @@ -199,6 +199,9 @@ Patch81: ksh-20120801-subshell-jobwait.patch # rhbz#1471874 Patch82: ksh-20120801-posix-exit.patch +# rhbz#1464409 +Patch83: ksh-20120801-sh_iovalidfd.patch + Conflicts: pdksh Requires: coreutils, diffutils, chkconfig BuildRequires: bison @@ -322,6 +325,10 @@ fi %config(noreplace) %{_sysconfdir}/binfmt.d/kshcomp.conf %changelog +* Mon Aug 28 2017 Siteshwar Vashisht - 20120801-42 +- Fix a memory corruption + Resolves: #1464409 + * Mon Aug 14 2017 Siteshwar Vashisht - 20120801-41 - Use posix exit code if last command exits due to a signal Resolves: #1471874