From 289888b41d30d532688628c237d8583f8f319000 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Nov 23 2021 14:36:57 +0000
Subject: import ksh-20120801-143.el7_9


---

diff --git a/SOURCES/ksh-20120801-stack-robustness.patch b/SOURCES/ksh-20120801-stack-robustness.patch
new file mode 100644
index 0000000..e22bee2
--- /dev/null
+++ b/SOURCES/ksh-20120801-stack-robustness.patch
@@ -0,0 +1,153 @@
+From 4604df9ada906e0a6537157a63b6ce7c0509f34d Mon Sep 17 00:00:00 2001
+From: Martijn Dekker <martijn@inlv.org>
+Date: Thu, 28 Jan 2021 06:08:38 +0000
+Subject: [PATCH] Stack robustness fixes from OpenSUSE
+
+Three OpenSUSE patches from:
+https://build.opensuse.org/package/show/shells/ksh
+
+As usual, the relevant bug is not currently public:
+https://bugzilla.opensuse.org/show_bug.cgi?id=844071
+
+src/cmd/ksh93/sh/xec.c: sh_debug()/sh_exec():
+- Fix stk restoration. [bnc#844071]
+
+src/lib/libast/misc/stk.c:
+- Fix stk aliasing code. [bnc#844071]
+  (ksh93-stkalias.dif)
+- Make a unknown location fatal in stkset() so that we get a core
+  dump right away instead of later in an unrelated part of code.
+  (ksh93-stkset-abort.dif)
+
+src/lib/libast/man/stk.3,
+src/lib/libast/man/stak.3:
+- Update manual with new stkset() behaviour. (93u+m addition)
+  (Note that stak is implemented as macros that translate to stk)
+---
+ src/cmd/ksh93/sh/xec.c    |  6 +++---
+ src/lib/libast/man/stak.3 |  5 +++--
+ src/lib/libast/man/stk.3  |  5 +++--
+ src/lib/libast/misc/stk.c | 16 ++++++++++------
+ 4 files changed, 19 insertions(+), 13 deletions(-)
+
+diff --git a/src/cmd/ksh93/sh/xec.c b/src/cmd/ksh93/sh/xec.c
+index 23526098ec20..ca3876394d63 100644
+--- a/src/cmd/ksh93/sh/xec.c
++++ b/src/cmd/ksh93/sh/xec.c
+@@ -646,8 +646,8 @@ int sh_debug(Shell_t *shp, const char *trap, const char *name, const char *subsc
+ 	Stk_t			*stkp=shp->stk;
+ 	struct sh_scoped	savst;
+ 	Namval_t		*np = SH_COMMANDNOD;
+-	char			*sav = stkptr(stkp,0);
+ 	int			n=4, offset=stktell(stkp);
++	char			*sav = stkfreeze(stkp,0);
+ 	const char		*cp = "+=( ";
+ 	Sfio_t			*iop = stkstd;
+ 	short			level;
+@@ -702,7 +702,7 @@ int sh_debug(Shell_t *shp, const char *trap, const char *name, const char *subsc
+ 	nv_putval(SH_FUNNAMENOD,shp->st.funname,NV_NOFREE);
+ 	shp->st = savst;
+ 	if(sav != stkptr(stkp,0))
+-		stkset(stkp,sav,0);
++		stkset(stkp,sav,offset);
+ 	else
+ 		stkseek(stkp,offset);
+ 	return(n);
+@@ -962,7 +962,7 @@ int sh_exec(register const Shnode_t *t, int flags)
+ 		int		ntflag = 0;
+ #endif
+ 		int		topfd = shp->topfd;
+-		char 		*sav=stkptr(stkp,0);
++		char 		*sav=stkfreeze(stkp,0);
+ 		char		*cp=0, **com=0, *comn;
+ 		int		argn;
+ 		int 		skipexitset = 0;
+diff --git a/src/lib/libast/man/stak.3 b/src/lib/libast/man/stak.3
+index 5feac69..89e0f54 100644
+--- a/src/lib/libast/man/stak.3
++++ b/src/lib/libast/man/stak.3
+@@ -109,8 +109,9 @@ the given \fIaddress\fP, and sets the current object to the given
+ \fIaddress\fP.
+ The top of the current object is set to \fIoffset\fP bytes from
+ current object.
+-If \fIaddress\fP is not the address of an object on the
+-stack the result is undefined.
++If \fIaddress\fP is null, the stack is reset to the beginning.
++If it is non-null, but is not the address of an object on the
++stack, the program aborts and dumps core.
+ .PP
+ The remaining functions are used to build the current object incrementally.
+ An object that is built incrementally on the stack will  
+diff --git a/src/lib/libast/man/stk.3 b/src/lib/libast/man/stk.3
+index 20dfdbefa44c..dd5705cf1188 100644
+--- a/src/lib/libast/man/stk.3
++++ b/src/lib/libast/man/stk.3
+@@ -110,8 +110,9 @@ the given \fIaddress\fP, and sets the current object to the given
+ \fIaddress\fP.
+ The top of the current object is set to \fIoffset\fP bytes from
+ current object.
+-If \fIaddress\fP is not the address of an object on the
+-stack the result is undefined.
++If \fIaddress\fP is null, the stack is reset to the beginning.
++If it is non-null, but is not the address of an object on the
++stack, the program aborts and dumps core.
+ .PP
+ The \f5sfio\fP(3) output functions can be used to build
+ current object incrementally.
+diff --git a/src/lib/libast/misc/stk.c b/src/lib/libast/misc/stk.c
+index 31cd0911dd29..f147ae4fec8c 100644
+--- a/src/lib/libast/misc/stk.c
++++ b/src/lib/libast/misc/stk.c
+@@ -331,9 +331,9 @@ int stkon(register Sfio_t * stream, register char* loc)
+ }
+ /*
+  * reset the bottom of the current stack back to <loc>
+- * if <loc> is not in this stack, then the stack is reset to the beginning
++ * if <loc> is null, then the stack is reset to the beginning
++ * if <loc> is not in this stack, the program dumps core
+  * otherwise, the top of the stack is set to stkbot+<offset>
+- *
+  */
+ char *stkset(register Sfio_t * stream, register char* loc, size_t offset)
+ {
+@@ -377,6 +377,9 @@ char *stkset(register Sfio_t * stream, register char* loc, size_t offset)
+ 			break;
+ 		frames++;
+ 	}
++	/* not found: produce a useful stack trace now instead of a useless one later */
++	if(loc)
++		abort();
+ 	/* set stack back to the beginning */
+ 	cp = (char*)(fp+1);
+ 	if(frames)
+@@ -503,7 +506,7 @@ static char *stkgrow(register Sfio_t *stream, size_t size)
+ 	register char *cp, *dp=0;
+ 	register size_t m = stktell(stream);
+ 	size_t endoff;
+-	char *end=0;
++	char *end=0, *oldbase=0;
+ 	int nn=0,add=1;
+ 	n += (m + sizeof(struct frame)+1);
+ 	if(sp->stkflags&STK_SMALL)
+@@ -519,6 +522,7 @@ static char *stkgrow(register Sfio_t *stream, size_t size)
+ 		dp=sp->stkbase;
+ 		sp->stkbase = ((struct frame*)dp)->prev;
+ 		end = fp->end;
++		oldbase = dp;
+ 	}
+ 	endoff = end - dp;
+ 	cp = newof(dp, char, n, nn*sizeof(char*));
+@@ -545,10 +549,10 @@ static char *stkgrow(register Sfio_t *stream, size_t size)
+ 	if(fp->nalias=nn)
+ 	{
+ 		fp->aliases = (char**)fp->end;
+-		if(end && nn>1)
+-			memmove(fp->aliases,end,(nn-1)*sizeof(char*));
++		if(end && nn>add)
++			memmove(fp->aliases,end,(nn-add)*sizeof(char*));
+ 		if(add)
+-			fp->aliases[nn-1] = dp + roundof(sizeof(struct frame),STK_ALIGN);
++			fp->aliases[nn-1] = oldbase + roundof(sizeof(struct frame),STK_ALIGN);
+ 	}
+ 	if(m && !dp)
+ 	{
diff --git a/SPECS/ksh.spec b/SPECS/ksh.spec
index c7883c4..eacf3c2 100644
--- a/SPECS/ksh.spec
+++ b/SPECS/ksh.spec
@@ -8,7 +8,7 @@ Group:        System Environment/Shells
 #CPL everywhere else (for KSH itself)
 License:      EPL
 Version:      20120801
-Release:      142%{?dist}
+Release:      143%{?dist}
 Source0:      http://www.research.att.com/~gsf/download/tgz/ast-ksh.%{releasedate}.tgz
 Source1:      http://www.research.att.com/~gsf/download/tgz/INIT.%{releasedate}.tgz
 Source2:      kshcomp.conf
@@ -195,6 +195,10 @@ Patch79: ksh-20120801-nv_open-memcmp.patch
 # rhbz#1790544
 Patch80: ksh-20120801-cve-2019-14868.patch
 
+# rhbz#2007364
+# upstream commit: https://github.com/ksh93/ksh/commit/4604df9ada906e0a6537157a63b6ce7c0509f34d
+Patch81: ksh-20120801-stack-robustness.patch
+
 BuildRoot:    %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 Conflicts:    pdksh
 Requires: coreutils, diffutils, chkconfig
@@ -276,6 +280,7 @@ with "sh" (the Bourne Shell).
 %patch78 -p1 -b .validate-fd
 %patch79 -p1 -b .nv_open-memcmp
 %patch80 -p1 -b .cve-2019-14868
+%patch81 -p1 -b .stack-robustness
 
 #/dev/fd test does not work because of mock
 sed -i 's|ls /dev/fd|ls /proc/self/fd|' src/cmd/ksh93/features/options
@@ -401,6 +406,10 @@ fi
     rm -rf $RPM_BUILD_ROOT
 
 %changelog
+* Fri Oct 01 2021 Vincent Mihalkovic <vmihalko@redhat.com> - 20120801-143
+- Stack robustness fixes
+  Related: #2007364
+
 * Mon Feb 17 2020 Siteshwar Vashisht <svashisht@redhat.com> - 20120801-142
 - Bump version number
   Related: #1790544