Fedora Account System
Red Hat Associate
Red Hat Customer
This bug appears to have been reported against 'rawhide' during the Fedora 27 development cycle. Changing version to '27'.
Created attachment 1319079 [details] Fix memory corruption caused by accessing array with negative index
Comment on attachment 1319079 [details] Fix memory corruption caused by accessing array with negative index > diff --git a/src/cmd/ksh93/sh/io.c b/src/cmd/ksh93/sh/io.c > --- a/src/cmd/ksh93/sh/io.c > +++ b/src/cmd/ksh93/sh/io.c > @@ -403,38 +403,50 @@ static short filemapsize; > > /* ======== input output and file copying ======== */ > > -int sh_iovalidfd(Shell_t *shp, int fd) > +bool sh_iovalidfd(Shell_t *shp, int fd) > { > Sfio_t **sftable = shp->sftable; > int max,n, **fdptrs = shp->fdptrs; > - unsigned char *fdstatus = shp->fdstatus; > + unsigned int *fdstatus = shp->fdstatus; This looks incorrect to me. shp->fdstatus is defined as (unsigned char *) in <ksh93/include/defs.h>. We should not cast it to an incompatible pointer type just in this function because it would result in undefined behavior.
Created attachment 1319143 [details] Fix memory corruption caused by accessing array with negative index
Comment on attachment 1319143 [details] Fix memory corruption caused by accessing array with negative index Looks good.