By inspection, it appears possible this access will underrun if the first
character is a %.
Index: mail.c
===================================================================
RCS file: /cvs/src/bin/ksh/mail.c,v
retrieving revision 1.25
diff -u -p -r1.25 mail.c
--- mail.c 7 Jan 2019 20:50:43 -0000 1.25
+++ mail.c 13 Jan 2019 08:41:58 -0000
@@ -128,7 +128,7 @@ mpset(char *mptoparse)
/* POSIX/bourne-shell say file%message */
for (p = mpath; (mmsg = strchr(p, '%')); ) {
/* a literal percent? (POSIXism) */
- if (mmsg[-1] == '\\') {
+ if (mmsg > mpath && mmsg[-1] == '\\') {
/* use memmove() to avoid overlap problems */
memmove(mmsg - 1, mmsg, strlen(mmsg) + 1);
p = mmsg + 1;
