Using an invalid byte sequence with printf %q segfaults bash, for a UTF-8 locale.
Here are the steps to reproduce the fault: gdb local/bin/bash GNU gdb (GDB) 7.4.1-debian Copyright (C) 2012 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnu". For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>... Reading symbols from /home/dualbus/local/bin/bash...done. (gdb) r ./invalid-utf8 Starting program: /home/dualbus/local/bin/bash ./invalid-utf8 Program received signal SIGSEGV, Segmentation fault. 0x00000000004b4bc0 in ansic_quote (str=0x7b0d68 "\031ަ", flags=0, rlen=0x0) at strtrans.c:282 282 *r++ = c; (gdb) bt #0 0x00000000004b4bc0 in ansic_quote (str=0x7b0d68 "\031ަ", flags=0, rlen=0x0) at strtrans.c:282 #1 0x00000000004a4121 in printf_builtin (list=0x7b0da8) at ./printf.def:567 #2 0x0000000000440e37 in execute_builtin (builtin=0x4a2e64 <printf_builtin>, words=0x7b0d48, flags=0, subshell=0) at execute_cmd.c:4337 #3 0x0000000000441a4a in execute_builtin_or_function (words=0x7b0d48, builtin=0x4a2e64 <printf_builtin>, var=0x0, redirects=0x0, fds_to_close=0x7b08a8, flags=0) at execute_cmd.c:4758 #4 0x00000000004408e8 in execute_simple_command (simple_command=0x7b0648, pipe_in=-1, pipe_out=-1, async=0, fds_to_close=0x7b08a8) at execute_cmd.c:4161 #5 0x000000000043a796 in execute_command_internal (command=0x7b06c8, asynchronous=0, pipe_in=-1, pipe_out=-1, fds_to_close=0x7b08a8) at execute_cmd.c:787 #6 0x0000000000439d44 in execute_command (command=0x7b06c8) at execute_cmd.c:390 #7 0x00000000004255e1 in reader_loop () at eval.c:160 #8 0x0000000000423431 in main (argc=2, argv=0x7fffffffeab8, env=0x7fffffffead0) at shell.c:755 (gdb) info locals r = 0x7b2000 <Address 0x7b2000 out of bounds> ret = 0x7b0de8 "$'\\031\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336\336", <incomplete sequence \336>... s = 0x7b0d69 "ަ" l = 0 rsize = 16 c = 222 '\336' clen = 2 b = 0 wc = 1958 L'ަ' (gdb) quit A debugging session is active. Inferior 1 [process 28162] will be killed. Quit anyway? (y or n) y dualbus@debian:~$ cat invalid-utf8 LC_CTYPE=en_US.UTF-8 printf '%q\n' $'\031\336\246' dualbus@debian:~$ bash invalid-utf8 Segmentation fault dualbus@debian:~$ bash --version GNU bash, version 4.3.0(1)-rc2 (x86_64-unknown-linux-gnu) Copyright (C) 2013 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software; you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. dualbus@debian:~$ cat invalid-utf8-c-locale LC_CTYPE=C printf '%q\n' $'\031\336\246' dualbus@debian:~$ bash invalid-utf8-c-locale $'\031\336\246' dualbus@debian:~$ logout The commit that introduced the bug is the following: $ git log -n1 --pretty=medium c920c360 commit c920c360da817d2ee755e8ed94ae7d5b9ce313db Author: Chet Ramey <chet.ra...@case.edu> Date: Mon Jan 9 08:27:00 2012 -0500 commit bash-20110902 snapshot -- Eduardo Alan Bustamante López
