This bug appears to have been reported against 'rawhide' during the Fedora 27 development cycle. Changing version to '27'.
Created attachment 1319079 [details] Fix memory corruption caused by accessing array with negative index
Comment on attachment 1319079 [details] Fix memory corruption caused by accessing array with negative index > diff --git a/src/cmd/ksh93/sh/io.c b/src/cmd/ksh93/sh/io.c > --- a/src/cmd/ksh93/sh/io.c > +++ b/src/cmd/ksh93/sh/io.c > @@ -403,38 +403,50 @@ static short filemapsize; > > /* ======== input output and file copying ======== */ > > -int sh_iovalidfd(Shell_t *shp, int fd) > +bool sh_iovalidfd(Shell_t *shp, int fd) > { > Sfio_t **sftable = shp->sftable; > int max,n, **fdptrs = shp->fdptrs; > - unsigned char *fdstatus = shp->fdstatus; > + unsigned int *fdstatus = shp->fdstatus; This looks incorrect to me. shp->fdstatus is defined as (unsigned char *) in <ksh93/include/defs.h>. We should not cast it to an incompatible pointer type just in this function because it would result in undefined behavior.
Created attachment 1319143 [details] Fix memory corruption caused by accessing array with negative index
Comment on attachment 1319143 [details] Fix memory corruption caused by accessing array with negative index Looks good.