54705: ksh93: fix use after free of .sh.edchar

% bindkey T foo
% zle -N foo
% foo() { emulate -L ksh; () { zle -M ${.sh.edchar} } }
% zmodload zsh/ksh93
% [press T twice]
\M-(\M-^Ak\M-<\M-G^?

or alternatively, emulate ksh in the main shell and just define this,
but then you have to make sure you're in a zsh -f shell so random things
aren't entering functions in the background.
% foo() { zle -M ${.sh.edchar} }

the code tries to restore sh_edchar = sh_unsetval; in the else branch,
but this doesn't ever run in the above scenario because we never enter
or leave a function with ksh emulation enabled (or indeed at all).

2 files changed, 4 insertions, 2 deletions

diff --git a/ChangeLog b/ChangeLog
index ec5d72124..a130d22cc 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,8 @@
 2026-06-10  Mikael Magnusson  <mikachu@gmail.com>
 
+	* 54705: Src/Modules/ksh93.c: ksh93: fix use after free of
+	.sh.edchar
+
 	* 54704 + 54728: Src/Modules/ksh93.c: remove obsolete workaround
 	in ksh93 module
 
diff --git a/Src/Modules/ksh93.c b/Src/Modules/ksh93.c
index ff9cfba1b..5204ab8cc 100644
--- a/Src/Modules/ksh93.c
+++ b/Src/Modules/ksh93.c
@@ -197,8 +197,7 @@ ksh93_wrapper(Eprog prog, FuncWrap w, char *name)
 	    strcpy(sh_edmode, "\033");
 	else
 	    strcpy(sh_edmode, "");
-	if (sh_edchar == sh_unsetval)
-	    sh_edchar = dupstring(getsparam("KEYS"));
+	sh_edchar = dupstring(getsparam("KEYS"));
 	if (varedarg) {
 	    char *ie = itype_end((sh_name = dupstring(varedarg)), INAMESPC, 0);
 	    if (ie && *ie) {