From 8412796ac1d53570e94748ab96f32d0919908550 Mon Sep 17 00:00:00 2001
From: Steffen Nurpmeso <steffen@sdaoden.eu>
Date: Thu, 2 Aug 2018 23:37:49 +0200
Subject: [PATCH] n_cmd_arg_parse(): FIX token error -> crash, e.g. "-RX
 'bind;echo $?' -Xx"..

The token segmentation will not push "the empty token following
the bind command", but it will correctly split after the control
operator that the semicolon is.

The problem is that no check is performed in this case to see
whether we would have required some output, or whether the current
argument is "optional".  In this case it is not, and `bind' will
blindly access the first argument, but which does not exist.

This bug exists for quite some time already, grr!
It is likely a leftover from the times when we did not support any
control operator, and when we implemented semicolon, i failed to
update all necessary places.  This was one of them.
---
 cmd-tab.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/cmd-tab.c b/cmd-tab.c
index 7041cf32..7c75bbf7 100644
--- a/cmd-tab.c
+++ b/cmd-tab.c
@@ -506,8 +506,11 @@ jredo:
             if(!(shs & n_SHEXP_STATE_OUTPUT))
                goto jleave;
             addca = TRUM1;
-         }else
-            addca = TRU1;
+         }else if(!(shs & n_SHEXP_STATE_OUTPUT) && cad_idx < cadp->cad_no &&
+               !(cadp->cad_ent_flags[cad_idx][0] & n_CMD_ARG_DESC_OPTION))
+            goto jerr;
+         else
+            addca = ((shs & n_SHEXP_STATE_OUTPUT) != NULL);
          }break;
       }
       ++parsed_args;
-- 
2.11.4.GIT