sh: Fix job pointer invalidation with trapsasync
Calling dotrap() can do almost anything, including reallocating the
jobtab array. Convert the job pointer to an index before calling
dotrap() and then restore a proper job pointer afterwards.
PR: 290330
Reported by: bdrewery
Reviewed by: bdrewery
Differential Revision: https://reviews.freebsd.org/D53793
(cherry picked from commit f44ac8cc9c10d7305223a10b8dbd8e234388cc73)
sh: Fix a double free in a rare scenario with pipes
The command
sh -c 'sleep 3 | sleep 2 & sleep 3 & kill %1; wait %1'
crashes (with appropriate sanitization such as putting
MALLOC_CONF=abort:true,junk:true in the environment or compiling with
-fsanitize=address).
What happens here is that waitcmdloop() calls dowait() with a NULL job
pointer, instructing dowait() to freejob() if it's a non-interactive
shell and $! was not and cannot be referenced for it. However,
waitcmdloop() then uses fields possibly freed by freejob() and calls
freejob() again.
This only occurs if the job being waited for is identified via % syntax
($! has never been referenced for it), it is a pipeline with two or more
elements and another background job has been started before the wait
command. That seems special enough for a bug to remain. Test scripts
written by Jilles would almost always use $! and not % syntax.
[15 lines not shown]
sh: Fix job pointer invalidation with trapsasync
Calling dotrap() can do almost anything, including reallocating the
jobtab array. Convert the job pointer to an index before calling
dotrap() and then restore a proper job pointer afterwards.
PR: 290330
Reported by: bdrewery
Reviewed by: bdrewery
Differential Revision: https://reviews.freebsd.org/D53793
(cherry picked from commit f44ac8cc9c10d7305223a10b8dbd8e234388cc73)
sh: Fix a double free in a rare scenario with pipes
The command
sh -c 'sleep 3 | sleep 2 & sleep 3 & kill %1; wait %1'
crashes (with appropriate sanitization such as putting
MALLOC_CONF=abort:true,junk:true in the environment or compiling with
-fsanitize=address).
What happens here is that waitcmdloop() calls dowait() with a NULL job
pointer, instructing dowait() to freejob() if it's a non-interactive
shell and $! was not and cannot be referenced for it. However,
waitcmdloop() then uses fields possibly freed by freejob() and calls
freejob() again.
This only occurs if the job being waited for is identified via % syntax
($! has never been referenced for it), it is a pipeline with two or more
elements and another background job has been started before the wait
command. That seems special enough for a bug to remain. Test scripts
written by Jilles would almost always use $! and not % syntax.
[15 lines not shown]
textproc/gspell: update to 1.14.2
News in 1.14.2, 2025-11-28 (stable version)
-------------------------------------------
* Publish tarballs from CI.
News in 1.14.1, 2025-10-01 (stable version)
-------------------------------------------
* Documentation: update some URLs.
* Translation updates.
WE do not appear to need LIB_DEPENDS= libfribidi.so:converters/fribidi
or LIB_DEPENDS= libharfbuzz.so:print/harfbuzz. [truckman]
PR: 289967
graphics/papers: new port
Papers is a document viewer capable of displaying multiple and single
page document formats like PDF and DejaVu. For more general information
about Papers and how to get started, please visit
https://welcome.gnome.org/app/Papers
PR: 290390
textproc/meld: limit portscout to stable releases
Limit portscout to searching for stable, even-numbered minor releases.
PR: 286931
Reported by: Charlie Li <vishwin at freebsd.org>
net/jsch: Remove expired port
2026-01-31 net/jsch: Upstream website does not exist. No ports depend on this. It does not compile on jdk21. See also: https://github.com/mwiede/jsch
archivers/py-brotlipy: Remove expired port
2026-01-31 archivers/py-brotlipy: This project has been archived. The maintainers of this project have marked this project as archived. No new releases are expected. Use archivers/py-brotlicffi instead
