dc crashes because a Blk* sometimes ends getting double freed.
To make it crash, any of these lines will do:
(each line is a separate input to dc):
1 sa 2 :a le d sa v :a
1 sa 2 :a le d sa :a
1 sa 2 :a le d sa c
Fix by assigning p to sptr->val before EMTPY causes a jump.
Additionally, dcgetwd() can return 0. all other uses check for
0 ptr; Also fix a buffer overflow.
BurnZeZ → Found a bug in dc(1)
BurnZeZ → Everything breaks when you fill the stack
BurnZeZ → You have stkptr which crap expects to point to an available member in Blk *stack[STKSZ];
BurnZeZ → stkend = &stack[STKSZ];
BurnZeZ → stkptr is allowed to equal stkend
BurnZeZ → So crap that expects stkptr to be pointing to an available Blk ends up dereferencing past the end of the array
BurnZeZ → term% echo `{seq 1 100} f | dc
BurnZeZ → dc 628283: suicide: sys: trap: fault read addr=0xffffe0000040a618 pc=0x204b1c