From cb8c37dc664c2c0c12772111d3cc3a560d50cb04 Mon Sep 17 00:00:00 2001
From: Chet Ramey <chet.ramey@case.edu>
Date: Tue, 25 Jul 2017 09:58:13 -0400
Subject: [PATCH] commit bash-20170714 snapshot

---
 CWRU/CWRU.chlog         | 15 +++++++++++++++
 builtins/read.def       |  8 ++++----
 lib/readline/readline.c |  4 ++--
 lib/readline/vi_mode.c  |  3 +++
 4 files changed, 24 insertions(+), 6 deletions(-)

diff --git a/CWRU/CWRU.chlog b/CWRU/CWRU.chlog
index f09f0969..08b11eee 100644
--- a/CWRU/CWRU.chlog
+++ b/CWRU/CWRU.chlog
@@ -14276,3 +14276,18 @@ lib/readline/signals.c
 	- _rl_handle_signal: make sure all uses of any of the job control
 	  signals are protected by a check for SIGTSTP being defined.  Report
 	  from Juan Manuel Guerrero <juan.guerrero@gmx.de>
+
+				   7/11
+				   ----
+lib/readline/vi_mode.c
+	- rl_vi_replace: when making the new keymap for vi replacement mode,
+	  make sure that ANYOTHERKEY is set correctly, otherwise some input
+	  will cause _rl_dispatch to return -2 to the top level.  Fixes fuzzing
+	  bug reported by Ben Wong <benjamin.a.wong@gmail.com>
+
+				   7/19
+				   ----
+builtins/read.def
+	- struct ttsave: make the attrs member a struct, not a pointer, to force
+	  a structure copy that will survive a longjmp to another context.
+	  Leaving it as a pointer to a local struct is not portable
diff --git a/builtins/read.def b/builtins/read.def
index a4ec0654..da9ac2a0 100644
--- a/builtins/read.def
+++ b/builtins/read.def
@@ -115,7 +115,7 @@ extern int errno;
 struct ttsave
 {
   int fd;
-  TTYSTRUCT *attrs;
+  TTYSTRUCT attrs;
 };
 
 #if defined (READLINE)
@@ -494,7 +494,7 @@ read_builtin (list)
 	  /* ttsave() */
 	  termsave.fd = fd;
 	  ttgetattr (fd, &ttattrs);
-	  termsave.attrs = &ttattrs;
+	  termsave.attrs = ttattrs;
 
 	  ttset = ttattrs;	  
 	  i = silent ? ttfd_cbreak (fd, &ttset) : ttfd_onechar (fd, &ttset);
@@ -511,7 +511,7 @@ read_builtin (list)
       /* ttsave (); */
       termsave.fd = fd;
       ttgetattr (fd, &ttattrs);
-      termsave.attrs = &ttattrs;
+      termsave.attrs = ttattrs;
 
       ttset = ttattrs;
       i = ttfd_noecho (fd, &ttset);			/* ttnoecho (); */
@@ -1027,7 +1027,7 @@ static void
 ttyrestore (ttp)
      struct ttsave *ttp;
 {
-  ttsetattr (ttp->fd, ttp->attrs);
+  ttsetattr (ttp->fd, &(ttp->attrs));
   tty_modified = 0;
 }
 
diff --git a/lib/readline/readline.c b/lib/readline/readline.c
index f174d5d3..64154c54 100644
--- a/lib/readline/readline.c
+++ b/lib/readline/readline.c
@@ -530,7 +530,7 @@ readline_internal_charloop (void)
 #endif
 {
   static int lastc, eof_found;
-  int c, code, lk;
+  int c, code, lk, r;
 
   lastc = EOF;
 
@@ -626,7 +626,7 @@ readline_internal_charloop (void)
 	}
 
       lastc = c;
-      _rl_dispatch ((unsigned char)c, _rl_keymap);
+      r = _rl_dispatch ((unsigned char)c, _rl_keymap);
       RL_CHECK_SIGNALS ();
 
       /* If there was no change in _rl_last_command_was_kill, then no kill
diff --git a/lib/readline/vi_mode.c b/lib/readline/vi_mode.c
index db1bd799..3cb7e8c9 100644
--- a/lib/readline/vi_mode.c
+++ b/lib/readline/vi_mode.c
@@ -2074,6 +2074,9 @@ rl_vi_replace (int count, int key)
 	  vi_insertion_keymap[CTRL ('H')].function == rl_rubout)
 	vi_replace_map[CTRL ('H')].function = rl_vi_overstrike_delete;
 
+      /* Make sure this is the value we need. */
+      vi_replace_map[ANYOTHERKEY].type = ISFUNC;
+      vi_replace_map[ANYOTHERKEY].function = (rl_command_func_t *)NULL;
     }
 
   rl_vi_start_inserting (key, 1, rl_arg_sign);