ASAN reports a `global-buffer-overflow` error for ifs/shcomp

[krader1961]

On macOS the ifs/shcomp test fails under ASAN:

ERROR: AddressSanitizer: global-buffer-overflow on address 0x000101bc5de3 at pc 0x00010184a6ab bp 0x7fff5e5321f0 sp 0x7fff5e5321e8
READ of size 1 at 0x000101bc5de3 thread T0
    #0 0x10184a6aa in sh_endword lex.c:2148
    #1 0x10183f12a in sh_lex lex.c:1285
    #2 0x1018ffe08 in test_primary (shcomp:x86_64+0x100237e08)
    #3 0x1018fed54 in test_and (shcomp:x86_64+0x100236d54)
    #4 0x1018fec94 in test_or (shcomp:x86_64+0x100236c94)
    #5 0x1018fe0e7 in test_expr (shcomp:x86_64+0x1002360e7)
    #6 0x1018ecc2e in item (shcomp:x86_64+0x100224c2e)
    #7 0x1018ec1b5 in term (shcomp:x86_64+0x1002241b5)
    #8 0x1018ebeba in list (shcomp:x86_64+0x100223eba)
    #9 0x1018eaf7e in sh_cmd (shcomp:x86_64+0x100222f7e)
    #10 0x1018eb257 in sh_cmd (shcomp:x86_64+0x100223257)
    #11 0x1018eb257 in sh_cmd (shcomp:x86_64+0x100223257)
    #12 0x1018ed41d in item (shcomp:x86_64+0x10022541d)
    #13 0x1018ec1b5 in term (shcomp:x86_64+0x1002241b5)
    #14 0x1018ebeba in list (shcomp:x86_64+0x100223eba)
    #15 0x1018eaf7e in sh_cmd (shcomp:x86_64+0x100222f7e)
    #16 0x1018eaabf in sh_parse (shcomp:x86_64+0x100222abf)
    #17 0x1016cad67 in main shcomp.c:152
    #18 0x7fffc8353234 in start (libdyld.dylib:x86_64+0x5234)

0x000101bc5de3 is located 61 bytes to the left of global variable 'sh_lexstate5' defined in '../src/cmd/ksh93/data/lexstates.c:171:19' (0x101bc5e20) of size 256
0x000101bc5de3 is located 3 bytes to the right of global variable 'sh_lexstate4' defined in '../src/cmd/ksh93/data/lexstates.c:148:19' (0x101bc5ce0) of size 256

The problem lies with this block of code in the sh_endword() function:

            int idx = *dp++ = *sp++;
            while ((n = state[idx]) == 0) {
                idx = *dp++ = *sp++;
            }

The problem is that dp and sp are of type char*; i.e., point to chars which can be signed or unsigned. If any char has a value > 127 and the native char type is signed then the assignment to idx means it gets a negative value. Oops!

P.S., You'll note that arrays sh_lexstate4 and sh_lexstate5 have 256 entries. So clearly the intent is to index into those arrays using a value legal for an unsigned char.

[krader1961]

Also, note that ASAN causes the compiler to separate global vars by a fixed amount but we have no control over that value AFAICT. On my system the separation appears to be 64 bytes. So if the broken code shown in the opening comment had used a negative index less than -64 (and greater than -320, the start of the previous global var) the illegal access would not have been caught.

[krader1961]

There is a related bug in function sh_lex() when the character from fcgetc() is -1.