This doesn't seem to be related to the other read memory corruption
issues, since it doesn't crash normal read/read -r.
dualbus@afl-bash-history-fncm:~$ md5sum malloc
0edd8a721e52362d0aeeb30bae22c4f5 malloc
dualbus@afl-bash-history-fncm:~$ base64 malloc
/TAw/wHw8DAw8DAwMDAw8PD19fUw9fX19fX1MP9//PX19fX1/PWAMAT1MDDr8PDqDzAwMDCA
I patched read_builtin's -e to allow fuzzing from file:
dualbus@afl-bash-history-fncm:/bash$ git diff -- builtins/
diff --git a/builtins/read.def b/builtins/read.def
index 14da6a2f..bd636b0b 100644
--- a/builtins/read.def
+++ b/builtins/read.def
@@ -381,7 +381,7 @@ read_builtin (list)
sync_buffered_stream (default_buffered_input);
#endif
- input_is_tty = isatty (fd);
+ input_is_tty = 1;
if (input_is_tty == 0)
#ifndef __CYGWIN__
input_is_pipe = (lseek (fd, 0L, SEEK_CUR) < 0) && (errno == ESPIPE);
(gdb) r -c 'read -e < malloc'
Starting program: /bash/bash -c 'read -e < malloc'
��00�00000���0���0�����0�00���0�
malloc: ./read.def:612: assertion botched
malloc: 0x90e108: allocated: last allocated from ./read.def:361
realloc: start and end chunk sizes differ
Aborting...
Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:58
58 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:58
#1 0x00007ffff761a37a in __GI_abort () at abort.c:89
#2 0x0000000000487913 in programming_error (format=<optimized out>)
at error.c:175
#3 0x00000000005fe454 in xbotch (e=0, mem=<optimized out>,
s=<optimized out>, file=<optimized out>, line=<optimized out>)
at malloc.c:329
#4 internal_realloc (mem=<optimized out>, n=<optimized out>,
file=0x6219de "./read.def", line=<optimized out>,
flags=<optimized out>) at malloc.c:1036
#5 0x0000000000524283 in sh_xrealloc (pointer=0x90e108, bytes=240,
file=0x6219de "./read.def", line=612) at xmalloc.c:206
#6 0x0000000000545afa in read_builtin (list=<optimized out>) at ./read.def:612
#7 0x000000000046bcad in execute_builtin (builtin=0x5440f0
<read_builtin>, words=0x90bce8, flags=<optimized out>, subshell=0)
at execute_cmd.c:4605
#8 0x00000000004624d9 in execute_builtin_or_function (words=0x90bce8,
builtin=0x5440f0 <read_builtin>, var=0x0, redirects=0x90b3c8,
fds_to_close=<optimized out>, flags=<optimized out>) at execute_cmd.c:5103
#9 execute_simple_command (simple_command=<optimized out>,
pipe_in=-1, pipe_out=-1, async=<optimized out>,
fds_to_close=<optimized out>) at execute_cmd.c:4391
#10 execute_command_internal (command=<optimized out>,
asynchronous=<optimized out>, pipe_in=<optimized out>,
pipe_out=<optimized out>, fds_to_close=<optimized out>) at execute_cmd.c:812
#11 0x00000000005348bd in parse_and_execute (string=<optimized out>,
from_file=<optimized out>, flags=<optimized out>)
at evalstring.c:430
#12 0x0000000000429c84 in run_one_command (command=<optimized out>) at
shell.c:1405
#13 0x0000000000427e28 in main (argc=<optimized out>, argv=<optimized
out>, env=<optimized out>) at shell.c:718
