Subject: Re: bin/29410
To: None <gnats-admin@netbsd.org, netbsd-bugs@netbsd.org>
From: Peter Bex <Peter.Bex@student.kun.nl>
List: netbsd-bugs
Date: 03/02/2005 16:52:02
The following reply was made to PR bin/29410; it has been noted by GNATS.

From: Peter Bex <Peter.Bex@student.kun.nl>
To: gnats-bugs@netbsd.org
Cc: 
Subject: Re: bin/29410
Date: Wed, 02 Mar 2005 17:50:55 +0100

 --Kj7319i9nmIyA2yE
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 
 After some digging in the code (which is rather spaghetti-like IMHO),
 I found what the bug is.
 
 When longjmp in the error handler returns to the setjmp in line 953 of eval.c,
 the savecmdname is not set (ie, set to an unspecified value).  When
 commandname is assigned to be savecmdname in line 997 of eval.c (which
 gets executed because the error is of type EXERROR, a generic error) it
 doesn't contain a valid string.  When the error gets printed, the string
 accessed causes a segfault.
 
 Patch for src/bin/sh/eval.c attached.
 
 --Kj7319i9nmIyA2yE
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: attachment; filename="eval.c.diff"
 
 Index: eval.c
 ===================================================================
 RCS file: /cvsroot/src/bin/sh/eval.c,v
 retrieving revision 1.75
 diff -u -r1.75 eval.c
 --- eval.c	14 Nov 2003 10:27:10 -0000	1.75
 +++ eval.c	2 Mar 2005 16:36:43 -0000
 @@ -949,6 +949,7 @@
  		e = -1;
  		savehandler = handler;
  		handler = &jmploc;
 +		savecmdname = commandname;
  		if (!setjmp(jmploc.loc)) {
  			/* We need to ensure the command hash table isn't
  			 * corruped by temporary PATH assignments.
 @@ -964,7 +965,6 @@
  				temp_path = 0;
  			redirect(cmd->ncmd.redirect, mode);
  
 -			savecmdname = commandname;
  			/* exec is a special builtin, but needs this list... */
  			cmdenviron = varlist.list;
  			/* we must check 'readonly' flag for all builtins */
 
 --Kj7319i9nmIyA2yE--