fdtable bug

[Zefram <A.Main@xxxxxxxxxxxxxxxxx>]

Someone posted a bug report, which had a pointer error deep within
exec.c, and mentioned that the bug went away when the shell was run
under gdb.  Well, I found a bug with exactly these properties.
Unfortunately it caused zsh to fall over while processing .zlogin, in
the account where I'd installed it.  Fortunately I was able to get into
the account without root intervention.

The effect of the bug is that movefd() can occasionally write 1 into
fdtable[-1].  In my case this was the low-order byte of shfunctab, and
so caused a bus error on the next command.

This happens because movefd() may be called upon to move a file
descriptor that is not actually valid.  We need to add a test in
movefd(), so that if the fd is invalid it doesn't write to fdtable.
movefd() is called from addfd() when creating a new multio, for the
purpose of saving the old file descriptor.  Unfortunately, I don't see
a simple way of saving an invalid file descriptor, because -1 in the
save array means that the fd hasn't been saved yet.  Maybe -2 should be
used for that, and then movefd() can return -1 for an invalid fd.

I don't include a patch, because I haven't thought through everything
involved yet.  I'll probably have a patch tomorrow (er, later today,
local British time), if nobody has done it by then.

-zefram