Hi,

I have a situation in ksh93 where free() is called
on statically allocated memory and I would like to
discuss a fix.

The free() happens at the end of b_cd() in src/cmd/ksh93/bltins/cd_pwd.c:

if(*dir != '/')
return(0);
nv_putval(opwdnod,oldpwd,NV_RDONLY);
if(oldpwd)
free(oldpwd);

oldpwd points to e_dot, which is const char [].

This is the place in b_cd() where oldpwd is set from path_pwd():

oldpwd = (char*)shp->pwd;
[...]
#if _WINIX
if(*dir != '/' && (dir[1]!=':'))
#else
if(*dir != '/')
#endif /* _WINIX */
{
[...]
if(!oldpwd)
oldpwd = path_pwd(shp,1);
}

The path_pwd() is from src/cmd/ksh93/sh/path.c.
The return type of path_pwd() is char* but it can return pointers
to statically allocated memory.

In my situation on Solaris, the line

oldpwd = (char*)shp->pwd;

is changed to

oldpwd = path_pwd(shp,0);

in order to deal with different crash bug, and it is where oldpwd
gets to point to e_dot.

What's the ok fix here given what it looks like the need
to sometimes free the return values from path_pwd()
but not every time?

Tomas Klacko