Fix buffer overflow due to incorrect nv_endsubscript() calls

The nv_endsubscript() function finds the end of an array subscript
and returns a pointer to the character following it. But this only
works correctly if the 'cp' pointer passed points to the initial
'[' of the subscript, not to any subsequente character. Otherwise,
backslash quotes may mess it up and a pointer past the character
following the subscript may be returned, causing potential buffer
overflows. (This manifested in some regression test failures in
tests/nameref.sh when run with a ksh compiled with ASan.)

These fixes were found by adding an assert(*cp=='[') at the
beginning of nv_subscript() and running the regression tests.

src/cmd/ksh93/sh/arith.c, src/cmd/ksh93/sh/name.c:
- Correct two erroneous nv_subscript() calls found by that assert
  by adjusting the cp parameter to point to the initial '['.

src/cmd/ksh93/include/version.h

@@ -18,7 +18,7 @@
 
 #define SH_RELEASE_FORK	"93u+m"		/* only change if you develop a new ksh93 fork */
 #define SH_RELEASE_SVER	"1.1.0-alpha"	/* semantic version number: https://semver.org */
-#define SH_RELEASE_DATE	"2024-11-29"	/* must be in this format for $((.sh.version)) */
+#define SH_RELEASE_DATE	"2024-11-30"	/* must be in this format for $((.sh.version)) */
 #define SH_RELEASE_CPYR	"(c) 2020-2024 Contributors to ksh " SH_RELEASE_FORK
 
 /* Scripts sometimes field-split ${.sh.version}, so don't change amount of whitespace. */

src/cmd/ksh93/sh/arith.c

@@ -149,7 +149,10 @@ static Namval_t *scope(Namval_t *np,struct lval *lvalue,int assign)
 					while(c=mbchar(cp),isaname(c));
 				}
 				if(c=='[')
+				{
+					cp--;
 					continue;
+				}
 			}
 			flag = *cp;
 			*cp = 0;

src/cmd/ksh93/sh/name.c

@@ -3067,7 +3067,7 @@ static char *lastdot(char *cp, int eq)
 			if(*cp==']')
 				cp++;
 			else
-				cp = nv_endsubscript(NULL,ep=cp,0);
+				cp = nv_endsubscript(NULL,(ep=cp)-1,0);
 		}
 		else if(c=='.')
 		{