experimental diff:

From: Todd C. Miller <Todd.Miller@courtesan.com>
The following ksh diff needs wide testing.  It does the following:
 1) proper error message for bad substitution.
    Before:
        $ echo ${a[@]:foo}
        ksh: : bad substitution
    After:
        $ echo ${a[@]:foo}
        ksh: ${a[@]:foo}: bad substitution
 2) fix a core dump for "echo ${a[@]:?foo}".
 3) fix a use-after-free bug (from otto@)

c_sh.c

@@ -1,4 +1,4 @@
-/**	$MirBSD: c_sh.c,v 1.7 2004/10/28 11:53:39 tg Exp $ */
+/**	$MirBSD: c_sh.c,v 1.8 2004/12/10 22:21:24 tg Exp $ */
 /*	$OpenBSD: c_sh.c,v 1.17 2003/03/13 09:03:07 deraadt Exp $	*/
 
 /*
@@ -10,7 +10,7 @@
 #include "ksh_time.h"
 #include "ksh_times.h"
 
-__RCSID("$MirBSD: c_sh.c,v 1.7 2004/10/28 11:53:39 tg Exp $");
+__RCSID("$MirBSD: c_sh.c,v 1.8 2004/12/10 22:21:24 tg Exp $");
 
 static	char *clocktos(clock_t t);
 
@@ -540,7 +540,7 @@ c_exitreturn(char **wp)
 		how = LSHELL;
 	}
 
-	quitenv();	/* get rid of any i/o redirections */
+	quitenv(NULL);	/* get rid of any i/o redirections */
 	unwind(how);
 	/*NOTREACHED*/
 	return 0;

eval.c

@@ -1,4 +1,4 @@
-/**	$MirBSD: eval.c,v 1.10 2004/12/10 16:01:34 tg Exp $ */
+/**	$MirBSD: eval.c,v 1.11 2004/12/10 22:21:25 tg Exp $ */
 /*	$OpenBSD: eval.c,v 1.16 2004/12/08 21:23:18 millert Exp $	*/
 
 /*
@@ -10,7 +10,7 @@
 #include "ksh_dir.h"
 #include "ksh_stat.h"
 
-__RCSID("$MirBSD: eval.c,v 1.10 2004/12/10 16:01:34 tg Exp $");
+__RCSID("$MirBSD: eval.c,v 1.11 2004/12/10 22:21:25 tg Exp $");
 
 /*
  * string expansion
@@ -287,12 +287,12 @@ expand(char *cp, XPtrV *wp, int f)
 					char endc;
 					char *str, *end;
 
+					sp = varname - 2; /* restore sp */
 					end = (char *) wdscan(sp, CSUBST);
 					/* ({) the } or x is already skipped */
 					endc = *end;
 					*end = EOS;
-					str = snptreef((char *) 0, 64, "%S",
-							varname - 1);
+					str = snptreef(NULL, 64, "%S", sp);
 					*end = endc;
 					errorf("%s: bad substitution", str);
 				}
@@ -801,6 +801,7 @@ varsub(Expand *xp, char *sp, char *word, int *stypep, int *slenp)
 			  case '=':	/* can't assign to a vector */
 			  case '%':	/* can't trim a vector (yet) */
 			  case '#':
+			  case '?':
 				return -1;
 			}
 			XPinit(wv, 32);

exec.c

@@ -1,4 +1,4 @@
-/**	$MirBSD: exec.c,v 1.6 2004/10/28 11:53:41 tg Exp $ */
+/**	$MirBSD: exec.c,v 1.7 2004/12/10 22:21:25 tg Exp $ */
 /*	$OpenBSD: exec.c,v 1.31 2003/12/15 05:25:52 otto Exp $	*/
 
 /*
@@ -10,7 +10,7 @@
 #include <ctype.h>
 #include "ksh_stat.h"
 
-__RCSID("$MirBSD: exec.c,v 1.6 2004/10/28 11:53:41 tg Exp $");
+__RCSID("$MirBSD: exec.c,v 1.7 2004/12/10 22:21:25 tg Exp $");
 
 /* Does ps4 get parameter substitutions done? */
 #ifdef KSH
@@ -215,7 +215,7 @@ execute(struct op *volatile t, volatile int flags)
 		i = ksh_sigsetjmp(e->jbuf, 0);
 		if (i) {
 			sigprocmask(SIG_SETMASK, &omask, (sigset_t *) 0);
-			quitenv();
+			quitenv(NULL);
 			unwind(i);
 			/*NOTREACHED*/
 		}
@@ -321,7 +321,7 @@ execute(struct op *volatile t, volatile int flags)
 			if ((e->flags&EF_BRKCONT_PASS)
 			    || (i != LBREAK && i != LCONTIN))
 			{
-				quitenv();
+				quitenv(NULL);
 				unwind(i);
 			} else if (i == LBREAK) {
 				rv = 0;
@@ -361,7 +361,7 @@ execute(struct op *volatile t, volatile int flags)
 			if ((e->flags&EF_BRKCONT_PASS)
 			    || (i != LBREAK && i != LCONTIN))
 			{
-				quitenv();
+				quitenv(NULL);
 				unwind(i);
 			} else if (i == LBREAK) {
 				rv = 0;
@@ -431,7 +431,7 @@ execute(struct op *volatile t, volatile int flags)
     Break:
 	exstat = rv;
 
-	quitenv();		/* restores IO */
+	quitenv(NULL);		/* restores IO */
 	if ((flags&XEXEC))
 		unwind(LEXIT);	/* exit child */
 	if (rv != 0 && !(flags & XERROK)) {
@@ -686,11 +686,11 @@ comexec(struct op *t, struct tbl *volatile tp, char **ap, volatile int flags)
 		  case LEXIT:
 		  case LLEAVE:
 		  case LSHELL:
-			quitenv();
+			quitenv(NULL);
 			unwind(i);
 			/*NOTREACHED*/
 		  default:
-			quitenv();
+			quitenv(NULL);
 			internal_errorf(1, "CFUNC %d", i);
 		}
 		break;
@@ -1453,8 +1453,7 @@ herein(const char *content, int sub)
 	i = ksh_sigsetjmp(e->jbuf, 0);
 	if (i) {
 		source = osource;
-		quitenv();
-		shf_close(shf);	/* after quitenv */
+		quitenv(shf);
 		close(fd);
 		return -2; /* special to iosetup(): don't print error */
 	}
@@ -1470,7 +1469,7 @@ herein(const char *content, int sub)
 	} else
 		shf_puts(content, shf);
 
-	quitenv();
+	quitenv(NULL);
 
 	if (shf_close(shf) == EOF) {
 		close(fd);

expr.c

@@ -1,4 +1,4 @@
-/**	$MirBSD: expr.c,v 1.7 2004/10/28 11:53:41 tg Exp $ */
+/**	$MirBSD: expr.c,v 1.8 2004/12/10 22:21:25 tg Exp $ */
 /*	$OpenBSD: expr.c,v 1.9 2003/10/22 07:40:38 jmc Exp $	*/
 
 /*
@@ -8,7 +8,7 @@
 #include "sh.h"
 #include <ctype.h>
 
-__RCSID("$MirBSD: expr.c,v 1.7 2004/10/28 11:53:41 tg Exp $");
+__RCSID("$MirBSD: expr.c,v 1.8 2004/12/10 22:21:25 tg Exp $");
 
 /* The order of these enums is constrained by the order of opinfo[] */
 enum token {
@@ -176,7 +176,7 @@ v_evaluate(struct tbl *vp, const char *expr, volatile int error_ok)
 		/* Clear EXPRINEVAL in of any variables we were playing with */
 		if (curstate.evaling)
 			curstate.evaling->flag &= ~EXPRINEVAL;
-		quitenv();
+		quitenv(NULL);
 		if (i == LAEXPR) {
 			if (error_ok == KSH_RETURN_ERROR)
 				return 0;
@@ -202,7 +202,7 @@ v_evaluate(struct tbl *vp, const char *expr, volatile int error_ok)
 		/* can fail if readonly */
 		setstr(vp, str_val(v), error_ok);
 
-	quitenv();
+	quitenv(NULL);
 
 	return 1;
 }

lex.c

@@ -1,4 +1,4 @@
-/**	$MirBSD: lex.c,v 1.7 2004/10/28 11:53:42 tg Exp $ */
+/**	$MirBSD: lex.c,v 1.8 2004/12/10 22:21:25 tg Exp $ */
 /*	$OpenBSD: lex.c,v 1.18 2003/08/06 21:08:05 millert Exp $	*/
 
 /*
@@ -8,7 +8,7 @@
 #include "sh.h"
 #include <ctype.h>
 
-__RCSID("$MirBSD: lex.c,v 1.7 2004/10/28 11:53:42 tg Exp $");
+__RCSID("$MirBSD: lex.c,v 1.8 2004/12/10 22:21:25 tg Exp $");
 
 /* Structure to keep track of the lexing state and the various pieces of info
  * needed for each particular state.
@@ -1140,7 +1140,7 @@ set_prompt(int to, Source *s)
 			} else
 				prompt = str_save(substitute(ps1, 0),
 						 saved_atemp);
-			quitenv();
+			quitenv(NULL);
 		}
 #else /* KSH */
 		prompt = str_val(global("PS1"));

main.c

@@ -1,4 +1,4 @@
-/**	$MirBSD: main.c,v 1.15 2004/11/10 17:13:11 tg Exp $ */
+/**	$MirBSD: main.c,v 1.16 2004/12/10 22:21:25 tg Exp $ */
 /*	$OpenBSD: main.c,v 1.28 2004/08/23 14:56:32 millert Exp $	*/
 
 /*
@@ -11,7 +11,7 @@
 #include "ksh_stat.h"
 #include "ksh_time.h"
 
-__RCSID("$MirBSD: main.c,v 1.15 2004/11/10 17:13:11 tg Exp $");
+__RCSID("$MirBSD: main.c,v 1.16 2004/12/10 22:21:25 tg Exp $");
 
 extern char **environ;
 
@@ -479,9 +479,7 @@ include(const char *name, int argc, char **argv, int intr_ok)
 	newenv(E_INCL);
 	i = ksh_sigsetjmp(e->jbuf, 0);
 	if (i) {
-		if (s) /* Do this before quitenv(), which frees the memory */
-			shf_close(s->u.shf);
-		quitenv();
+		quitenv(s ? s->u.shf : NULL);
 		if (old_argv) {
 			e->loc->argv = old_argv;
 			e->loc->argc = old_argc;
@@ -515,8 +513,7 @@ include(const char *name, int argc, char **argv, int intr_ok)
 	s->u.shf = shf;
 	s->file = str_save(name, ATEMP);
 	i = shell(s, FALSE);
-	shf_close(s->u.shf);
-	quitenv();
+	quitenv(s->u.shf);
 	if (old_argv) {
 		e->loc->argv = old_argv;
 		e->loc->argc = old_argc;
@@ -582,12 +579,12 @@ shell(Source *volatile s, volatile int toplevel)
 		  case LLEAVE:
 		  case LRETURN:
 			source = old_source;
-			quitenv();
+			quitenv(NULL);
 			unwind(i);	/* keep on going */
 			/*NOREACHED*/
 		  default:
 			source = old_source;
-			quitenv();
+			quitenv(NULL);
 			internal_errorf(1, "shell: %d", i);
 			/*NOREACHED*/
 		}
@@ -639,7 +636,7 @@ shell(Source *volatile s, volatile int toplevel)
 
 		reclaim();
 	}
-	quitenv();
+	quitenv(NULL);
 	source = old_source;
 	return exstat;
 }
@@ -674,7 +671,7 @@ unwind(int i)
 			/* Fall through... */
 
 		  default:
-			quitenv();
+			quitenv(NULL);
 		}
 	}
 }
@@ -696,7 +693,7 @@ newenv(int type)
 }
 
 void
-quitenv(void)
+quitenv(struct shf *shf)
 {
 	struct env *ep = e;
 	int fd;
@@ -711,7 +708,6 @@ quitenv(void)
 		if (ep->savefd[2]) /* Clear any write errors */
 			shf_reopen(2, SHF_WR, shl_out);
 	}
-	reclaim();
 
 	/* Bottom of the stack.
 	 * Either main shell is exiting or cleanup_parents_env() was called.
@@ -740,8 +736,14 @@ quitenv(void)
 			chmem_allfree();
 #endif /* MEM_DEBUG */
 		}
+		if (shf)
+			shf_close(shf);
+		reclaim();
 		exit(exstat);
 	}
+	if (shf)
+		shf_close(shf);
+	reclaim();
 
 	e = e->oenv;
 	afree(ep, ATEMP);

proto.h

@@ -1,4 +1,4 @@
-/**	$MirBSD: proto.h,v 1.10 2004/11/10 17:13:11 tg Exp $ */
+/**	$MirBSD: proto.h,v 1.11 2004/12/10 22:21:26 tg Exp $ */
 /*	$OpenBSD: proto.h,v 1.11 2003/05/16 19:58:57 jsyn Exp $	*/
 /*	$From: proto.h,v 1.3 1994/05/19 18:32:40 michael Exp michael $ */
 
@@ -171,7 +171,7 @@ int 	command(const char *comm);
 int 	shell(Source *volatile s, int volatile toplevel);
 void 	unwind(int i) GCC_FUNC_ATTR(noreturn);
 void 	newenv(int type);
-void 	quitenv(void);
+void 	quitenv(struct shf *shf);
 void	cleanup_parents_env(void);
 void	cleanup_proc_env(void);
 void 	aerror(Area *ap, const char *msg)