Fix potential null deref and out-of-bound access.

ok millert@ deraadt@

2 files changed, 6 insertions, 4 deletions

diff --git a/bin/ksh/c_sh.c b/bin/ksh/c_sh.c
index 458c88fd1b6..307cbf66add 100644
--- a/bin/ksh/c_sh.c
+++ b/bin/ksh/c_sh.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: c_sh.c,v 1.32 2006/03/12 00:26:58 deraadt Exp $	*/
+/*	$OpenBSD: c_sh.c,v 1.33 2006/03/20 20:54:08 otto Exp $	*/
 
 /*
  * built-in Bourne commands
@@ -595,7 +595,8 @@ c_brkcont(char **wp)
 		 * shall be used.  Doesn't say to print an error but we
 		 * do anyway 'cause the user messed up.
 		 */
-		last_ep->flags &= ~EF_BRKCONT_PASS;
+		if (last_ep)
+			last_ep->flags &= ~EF_BRKCONT_PASS;
 		warningf(true, "%s: can only %s %d level(s)",
 		    wp[0], wp[0], n - quit);
 	}
diff --git a/bin/ksh/syn.c b/bin/ksh/syn.c
index 525a5bebf2a..d180ff07f6f 100644
--- a/bin/ksh/syn.c
+++ b/bin/ksh/syn.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: syn.c,v 1.24 2006/03/14 22:08:40 deraadt Exp $	*/
+/*	$OpenBSD: syn.c,v 1.25 2006/03/20 20:54:08 otto Exp $	*/
 
 /*
  * shell parser (C version)
@@ -851,7 +851,8 @@ dbtestp_isa(Test_env *te, Test_meta meta)
 		ret = uqword && strcmp(yylval.cp, db_close) == 0;
 	if (ret) {
 		ACCEPT;
-		if (meta != TM_END) {
+		if (meta != TM_END && meta >= 0 &&
+		    meta < sizeof(dbtest_tokens) / sizeof(dbtest_tokens[0])) {
 			if (!save)
 				save = wdcopy(dbtest_tokens[(int) meta], ATEMP);
 			XPput(*te->pos.av, save);