Undefined behavior? parsesubst() uses a local array after it goes out of scope

[Oliver Kiddle <opk@xxxxxxx>]

This is following up on a bug reported by Nathan Mills to the -security
list. I wouldn't consider this to be a security concern.

The arr array is declared in a deeply nested scope and assigned to
variables that outlast that scope. Strictly speaking this is undefined
behaviour. I don't have the setup to reproduce any resulting problems
but I think moving the declaration to the top of the function as in this
patch should be a way to deal with this.

Oliver


diff --git a/Src/subst.c b/Src/subst.c
index d0f2a1b45..be2333ca5 100644
--- a/Src/subst.c
+++ b/Src/subst.c
@@ -1626,6 +1626,7 @@ paramsubst(LinkList l, LinkNode n, char **str, int qt, int pf_flags,
 	   int *ret_flags)
 {
     char *aptr = *str, c, cc;
+    char *arr[2];
     char *s = aptr, *fstr, *idbeg, *idend, *ostr = (char *) getdata(n);
     int colf;			/* != 0 means we found a colon after the name */
     /*
@@ -3266,7 +3267,7 @@ paramsubst(LinkList l, LinkNode n, char **str, int qt, int pf_flags,
 		}
 		if (arrasg) {
 		    /* This is an array assignment. */
-		    char *arr[2], **t, **a, **p;
+		    char **t, **a, **p;
 		    if (spsep || spbreak) {
 			aval = sepsplit(val, spsep, 0, 1);
 			isarr = nojoin ? 1 : 2;