Found via fuzzing (of `read -e') using AFL,
To reproduce:
In a shell with `emacs' readline mode, type:
~""""""""""""""""/<M><!>
e.g.
(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/dualbus/src/gnu/bash/bash
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
bash-5.0$ ~""""""""""""""""/
Program received signal SIGSEGV, Segmentation fault.
__memset_avx2_unaligned_erms () at
../sysdeps/x86_64/multiarch/memset-vec-unaligned-erms.S:206
206 ../sysdeps/x86_64/multiarch/memset-vec-unaligned-erms.S: No such file
or directory.
(gdb) bt
#0 __memset_avx2_unaligned_erms () at
../sysdeps/x86_64/multiarch/memset-vec-unaligned-erms.S:206
#1 0x000055555575518e in internal_malloc (n=18446744073709551609,
file=0x555555762db7 "bashline.c", line=3015, flags=1) at malloc.c:870
#2 0x00005555557568dc in sh_malloc (bytes=18446744073709551609,
file=0x555555762db7 "bashline.c", line=3015) at malloc.c:1302
#3 0x000055555569bf1f in sh_xmalloc (bytes=18446744073709551609,
file=0x555555762db7 "bashline.c", line=3015) at xmalloc.c:185
#4 0x00005555556854f6 in restore_tilde (val=0x555555990aa8 "~/.swt",
directory_part=0x555555990ac8 "~", '\"' <repeats 16 times>) at bashline.c:3015
#5 0x00005555556855fe in maybe_restore_tilde (val=0x555555990aa8 "~/.swt",
directory_part=0x555555990ac8 "~", '\"' <repeats 16 times>) at bashline.c:3031
#6 0x0000555555682940 in command_word_completion_function
(hint_text=0x555555990a88 "~", '\"' <repeats 16 times>, "/", state=0) at
bashline.c:2157
#7 0x0000555555718e12 in rl_completion_matches (text=0x555555990a88 "~", '\"'
<repeats 16 times>, "/", entry_function=0x555555680f3c
<command_word_completion_function>) at complete.c:2185
#8 0x0000555555714eb3 in gen_completion_matches (text=0x555555990a88 "~", '\"'
<repeats 16 times>, "/", start=0, end=18, our_func=0x555555680f3c
<command_word_completion_function>, found_quote=2, quote_char=0)
at complete.c:1228
#9 0x0000555555718352 in rl_complete_internal (what_to_do=9) at complete.c:2013
#10 0x0000555555688187 in bash_specific_completion (what_to_do=9,
generator=0x555555680f3c <command_word_completion_function>) at bashline.c:3812
#11 0x0000555555687a6c in bash_complete_command_internal (what_to_do=9) at
bashline.c:3690
#12 0x0000555555687958 in bash_complete_command (ignore=1, ignore2=33) at
bashline.c:3662
#13 0x0000555555704df2 in _rl_dispatch_subseq (key=33, map=0x5555557cec60
<emacs_meta_keymap>, got_subseq=0) at readline.c:852
#14 0x0000555555705793 in _rl_dispatch_subseq (key=27, map=0x5555557cdc40
<emacs_standard_keymap>, got_subseq=0) at readline.c:986
#15 0x00005555557049e5 in _rl_dispatch (key=1437245440, map=0x5555557cdc40
<emacs_standard_keymap>) at readline.c:798
#16 0x000055555570432d in readline_internal_char () at readline.c:632
#17 0x000055555570441a in readline_internal_charloop () at readline.c:659
#18 0x0000555555704470 in readline_internal () at readline.c:671
#19 0x000055555570374f in readline (prompt=0x55555598f3e8 "bash-5.0$ ") at
readline.c:377
#20 0x00005555555c5b2a in yy_readline_get () at ./parse.y:1476
#21 0x00005555555c5945 in yy_getc () at ./parse.y:1409
#22 0x00005555555c7648 in shell_getc (remove_quoted_newline=1) at ./parse.y:2334
#23 0x00005555555ca34c in read_token (command=0) at ./parse.y:3230
#24 0x00005555555c8e07 in yylex () at ./parse.y:2744
#25 0x00005555555bfef6 in yyparse () at y.tab.c:1823
#26 0x00005555555bf299 in parse_command () at eval.c:303
#27 0x00005555555bf4a9 in read_command () at eval.c:347
#28 0x00005555555bea6b in reader_loop () at eval.c:143
#29 0x00005555555ba3e7 in main (argc=1, argv=0x7fffffffe7d8,
env=0x7fffffffe7e8) at shell.c:805
(gdb) frame 4
#4 0x00005555556854f6 in restore_tilde (val=0x555555990aa8 "~/.swt",
directory_part=0x555555990ac8 "~", '\"' <repeats 16 times>) at bashline.c:3015
3015 ret = (char *)xmalloc (dl2 + 2 + l);
(gdb) p dl2
$3 = 1
(gdb) p l
$4 = -10
(gdb) p vl
$5 = 6
(gdb) p xl
$6 = 17
(gdb) p rl_line_buffer
$8 = 0x555555a40e08 '\337' <repeats 199 times>, <incomplete sequence \337>...
Due to the expansions performed in restore_tilde, xl ends up being larger than
vl, and thus, we end up requesting a negative amount of memory. I kind of
understand what the problem is, but I don't really know how to fix it.
