Fix exec crash when setexecdata has never been called

or called with a small array.

This notably happens when using a sub-exec, see BZ #48919.

* exec/hashexec.c (check_hashbang): Check std_nports before accessing
std_ports.

1 files changed, 7 insertions, 5 deletions

diff --git a/exec/hashexec.c b/exec/hashexec.c
index e53d2eea..6337f0a4 100644
--- a/exec/hashexec.c
+++ b/exec/hashexec.c
@@ -97,22 +97,24 @@ check_hashbang (struct execdata *e,
       mach_port_t port = ((which < nports &&
 			   portarray[which] != MACH_PORT_NULL)
 			  ? portarray[which] :
-			  (flags & EXEC_DEFAULTS) ? std_ports[which]
-			  : MACH_PORT_NULL);
+			  (flags & EXEC_DEFAULTS && which < std_nports)
+				? std_ports[which]
+				: MACH_PORT_NULL);
 
       /* Reauthenticate dir ports if they are the defaults.  */
       switch (which)
 	{
 	case INIT_PORT_CRDIR:
 	  /* If secure, always use the default root.  */
-	  if ((flags & EXEC_SECURE) ||
-	      port == std_ports[which])
+	  if ((which < std_nports && flags & EXEC_SECURE) ||
+	      (which < std_nports && port == std_ports[which]))
 	    return (reauthenticate (std_ports[which], &user_crdir) ?:
 		    (*operate) (user_crdir));
 	  break;
 	case INIT_PORT_CWDIR:
 	  /* If secure, reauthenticate cwd whether default or given.  */
-	  if ((flags & EXEC_SECURE) || port == std_ports[which])
+	  if ((flags & EXEC_SECURE) ||
+	      (which < std_nports && port == std_ports[which]))
 	    return (reauthenticate (port, &user_cwdir) ?:
 		    (*operate) (user_cwdir));
 	  break;