Fix a memory corruption

Resolves: #1464409
2017-08-29 18:09:18 +02:00 · 2017-08-29 18:09:18 +02:00 · ca7a49ba08
commit ca7a49ba08
parent 470f54ec47
2 changed files with 87 additions and 1 deletions
--- a/ksh-20120801-sh_iovalidfd.patch
+++ b/ksh-20120801-sh_iovalidfd.patch
@ -0,0 +1,79 @@
+diff --git a/src/cmd/ksh93/include/io.h b/src/cmd/ksh93/include/io.h
+--- a/src/cmd/ksh93/include/io.h
+++ b/src/cmd/ksh93/include/io.h
+@@ -79,7 +79,7 @@ extern Sfio_t 	*sh_iostream(Shell_t*,int);
+ extern int	sh_redirect(Shell_t*,struct ionod*,int);
+ extern void 	sh_iosave(Shell_t *, int,int,char*);
+ extern int 	safefdnumber(Shell_t* shp, int sfd);
+-extern int 	sh_iovalidfd(Shell_t*, int);
+extern bool 	sh_iovalidfd(Shell_t*, int);
+ extern int 	sh_inuse(Shell_t*, int);
+ extern void 	sh_iounsave(Shell_t*);
+ extern void	iounpipe(Shell_t*);
+diff --git a/src/cmd/ksh93/sh/io.c b/src/cmd/ksh93/sh/io.c
+--- a/src/cmd/ksh93/sh/io.c
+++ b/src/cmd/ksh93/sh/io.c
+@@ -403,38 +403,50 @@ static short		filemapsize;
+ 
+ /* ======== input output and file copying ======== */
+ 
+-int  sh_iovalidfd(Shell_t *shp, int fd)
+bool  sh_iovalidfd(Shell_t *shp, int fd)
+ {
+ 	Sfio_t		**sftable = shp->sftable;
+ 	int		max,n, **fdptrs = shp->fdptrs;
+ 	unsigned char	*fdstatus = shp->fdstatus;
+ 	if(fd<0)
+-		return(0);
+		return(false);
+ 	if(fd < shp->gd->lim.open_max)
+-		return(1);
+		return(true);
+ 	max = strtol(astconf("OPEN_MAX",NiL,NiL),NiL,0);
+ 	if(fd >= max)
+ 	{
+ 		errno = EBADF;
+-		return(0);
+		return(false);
+ 	}
+ 	n = (fd+16)&~0xf;
+-	if(n > max)
+-		n = max;
+	if(n++ > max)
+		n = max+1;
+ 	max = shp->gd->lim.open_max;
+-	shp->sftable = (Sfio_t**)calloc((n+1)*(sizeof(int*)+sizeof(Sfio_t*)+1),1);
+-	if(max)
+-		memcpy(shp->sftable,sftable,max*sizeof(Sfio_t*));
+	shp->sftable = (Sfio_t**)calloc((n+1)*(sizeof(int*)+sizeof(Sfio_t*)+sizeof(*fdstatus)),1);
+
+	if(sftable)
+	{
+		--sftable;
+		if(max)
+			memcpy(shp->sftable,sftable,++max*sizeof(Sfio_t*));
+
+	}
+
+ 	shp->fdptrs = (int**)(&shp->sftable[n]);
+ 	if(max)
+-		memcpy(shp->fdptrs,fdptrs,max*sizeof(int*));
+		memcpy(shp->fdptrs,--fdptrs,max*sizeof(int*));
+ 	shp->fdstatus = (unsigned char*)(&shp->fdptrs[n]);
+ 	if(max)
+-		memcpy(shp->fdstatus,fdstatus,max);
+		memcpy(shp->fdstatus,--fdstatus,max);
+
+ 	if(sftable)
+ 		free((void*)sftable);
+-	shp->gd->lim.open_max = n;
+-	return(1);
+
+	shp->sftable++;
+	shp->fdptrs++;
+	shp->fdstatus++;
+	shp->gd->lim.open_max = n-1;
+	return(true);
+ }
+ 
+ int  sh_inuse(Shell_t *shp, int fd)
--- a/ksh.spec
+++ b/ksh.spec
@ -8,7 +8,7 @@ URL:          http://www.kornshell.com/
 #CPL everywhere else (for KSH itself)
 License:      CPL
 Version:      %{releasedate}
-Release:      41%{?dist}
+Release:      42%{?dist}
 Source0:      http://www.research.att.com/~gsf/download/tgz/ast-ksh.%{release_date}.tgz
 Source1:      http://www.research.att.com/~gsf/download/tgz/INIT.%{release_date}.tgz
 Source2:      kshcomp.conf
@ -199,6 +199,9 @@ Patch81: ksh-20120801-subshell-jobwait.patch
 # rhbz#1471874
 Patch82: ksh-20120801-posix-exit.patch

+# rhbz#1464409
+Patch83: ksh-20120801-sh_iovalidfd.patch
+
 Conflicts:    pdksh
 Requires: coreutils, diffutils, chkconfig
 BuildRequires: bison
@ -322,6 +325,10 @@ fi
 %config(noreplace) %{_sysconfdir}/binfmt.d/kshcomp.conf

 %changelog
+* Mon Aug 28 2017 Siteshwar Vashisht <svashisht@redhat.com> - 20120801-42
+- Fix a memory corruption
+  Resolves: #1464409
+
 * Mon Aug 14 2017 Siteshwar Vashisht <svashisht@redhat.com> - 20120801-41
 - Use posix exit code if last command exits due to a signal
  Resolves: #1471874