Backport ksh93v- bugfix for a possible crash in types.sh (#812)

This commit backports a bugfix from ksh93v- 2012-08-24 for a possible crash at the first strncmp in create_type(). This crash will occur if the size and/or alignment of Namval struct is changed (i.e., if np->nvsize or np->nvflag is upgraded to a larger data type). src/cmd/ksh93/sh/nvtype.c: - Account for NV_MINSZ when setting the 'base' string to ensure no invalid reads occur because of changes in the size of Namval_t. - Additionally, store the return value from strlen in a size_t variable.
ksh93 · Jan 5, 2025 · 375c6c3 · 375c6c3
1 parent cbdb8bc
commit 375c6c3
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/src/cmd/ksh93/sh/nvtype.c b/src/cmd/ksh93/sh/nvtype.c
@@ -481,8 +481,8 @@ static Namval_t *create_type(Namval_t *np,const char *name,int flag,Namfun_t *fp
 	n = (cp-1) -name;
 	if(dp->numnodes && dp->strsize<0)
 	{
-		char *base =  (char*)np-sizeof(Dtlink_t);
-		int m=strlen(np->nvname);
+		char *base =  (char*)np-(NV_MINSZ-sizeof(Dtlink_t));
+		size_t m=strlen(np->nvname);
 		while((nq=nv_namptr(base,++i)) && strncmp(nq->nvname,np->nvname,m)==0)
 		{
 			if(nq->nvname[m]=='.' && strncmp(name,&nq->nvname[m+1],n)==0 && nq->nvname[m+n+1]==0)