It seems like this is another case of strlen reading too much.
dualbus@debian:~/src/gnu/bash-build$ base64 < /home/dualbus/bash-fuzzing/read-readline/output/10/crashes/id:000011,sig:06,src:001239+003201,op:splice,rep:2 GwMWF/zuFQAXCxcXFwAD6FNTALwAABAAgCkZGRkZ/zpQFxkZGRkZGRcXIH/6AAD6jlxchDP8GQAB AFhLYEpLZ0tKOEsQSz0aGgIZGSEZAID/GRkZGRkZS0tXS0tLAAAAAEtLHBMZWmBKS0tLSjhLEEtL S0tKS0tLSj0+EEtLHBkZGRkZGbS8Ehn/OlAXGRkZGRkZFxcgLA== dualbus@debian:~/src/gnu/bash-build$ ASAN_OPTIONS=disable_coredump=0:unmap_shadow_on_exit=1:abort_on_error=1 ./bash -c 'read -e' < /home/dualbus/bash-fuzzing/read-readline/output/10/crashes/id:000011,sig:06,src:001239+003201,op:splice,rep:2 > /dev/null 2>&1 Aborted (core dumped) dualbus@debian:~/src/gnu/bash-build$ cat stacktrace ================================================================= ==26129==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60d00000c159 at pc 0x7f40f3b2a063 bp 0x7ffed8a00070 sp 0x7ffed89ff820 READ of size 138 at 0x60d00000c159 thread T0 #0 0x7f40f3b2a062 (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x3c062) #1 0x558a2174188b in _rl_find_prev_mbchar_internal ../../../bash/lib/readline/mbutil.c:162 #2 0x558a2174235c in _rl_find_prev_mbchar ../../../bash/lib/readline/mbutil.c:369 #3 0x558a21710ca1 in expand_prompt ../../../bash/lib/readline/display.c:471 #4 0x558a2171c190 in rl_message ../../../bash/lib/readline/display.c:2642 #5 0x558a2170a986 in rl_display_search ../../../bash/lib/readline/isearch.c:196 #6 0x558a2170fab7 in _rl_isearch_dispatch ../../../bash/lib/readline/isearch.c:718 #7 0x558a2170fcae in rl_search_history ../../../bash/lib/readline/isearch.c:762 #8 0x558a2170a7ac in rl_reverse_search_history ../../../bash/lib/readline/isearch.c:136 #9 0x558a216e030d in _rl_dispatch_subseq ../../../bash/lib/readline/readline.c:851 #10 0x558a216dfee8 in _rl_dispatch ../../../bash/lib/readline/readline.c:797 #11 0x558a216df727 in readline_internal_char ../../../bash/lib/readline/readline.c:629 #12 0x558a216df7b9 in readline_internal_charloop ../../../bash/lib/readline/readline.c:656 #13 0x558a216df7dd in readline_internal ../../../bash/lib/readline/readline.c:670 #14 0x558a216dee93 in readline ../../../bash/lib/readline/readline.c:374 #15 0x558a2169a136 in edit_line ../../bash/builtins/../../bash/builtins/read.def:1095 #16 0x558a21697aa4 in read_builtin ../../bash/builtins/../../bash/builtins/read.def:559 #17 0x558a215adc89 in execute_builtin ../bash/execute_cmd.c:4609 #18 0x558a215af89f in execute_builtin_or_function ../bash/execute_cmd.c:5107 #19 0x558a215ad11f in execute_simple_command ../bash/execute_cmd.c:4395 #20 0x558a2159af42 in execute_command_internal ../bash/execute_cmd.c:811 #21 0x558a216850f4 in parse_and_execute ../../bash/builtins/evalstring.c:430 #22 0x558a21566401 in run_one_command ../bash/shell.c:1405 #23 0x558a215648da in main ../bash/shell.c:718 #24 0x7f40f33422b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0) #25 0x558a21563749 in _start (/home/dualbus/src/gnu/bash-build/bash+0x7f749) 0x60d00000c159 is located 0 bytes to the right of 137-byte region [0x60d00000c0d0,0x60d00000c159) allocated by thread T0 here: #0 0x7f40f3bafd28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28) #1 0x558a21673d95 in xmalloc ../bash/xmalloc.c:112 #2 0x558a21710574 in expand_prompt ../../../bash/lib/readline/display.c:389 #3 0x558a2171c190 in rl_message ../../../bash/lib/readline/display.c:2642 #4 0x558a2170a986 in rl_display_search ../../../bash/lib/readline/isearch.c:196 #5 0x558a2170fab7 in _rl_isearch_dispatch ../../../bash/lib/readline/isearch.c:718 #6 0x558a2170fcae in rl_search_history ../../../bash/lib/readline/isearch.c:762 #7 0x558a2170a7ac in rl_reverse_search_history ../../../bash/lib/readline/isearch.c:136 #8 0x558a216e030d in _rl_dispatch_subseq ../../../bash/lib/readline/readline.c:851 #9 0x558a216dfee8 in _rl_dispatch ../../../bash/lib/readline/readline.c:797 #10 0x558a216df727 in readline_internal_char ../../../bash/lib/readline/readline.c:629 #11 0x558a216df7b9 in readline_internal_charloop ../../../bash/lib/readline/readline.c:656 #12 0x558a216df7dd in readline_internal ../../../bash/lib/readline/readline.c:670 #13 0x558a216dee93 in readline ../../../bash/lib/readline/readline.c:374 #14 0x558a2169a136 in edit_line ../../bash/builtins/../../bash/builtins/read.def:1095 #15 0x558a21697aa4 in read_builtin ../../bash/builtins/../../bash/builtins/read.def:559 #16 0x558a215adc89 in execute_builtin ../bash/execute_cmd.c:4609 #17 0x558a215af89f in execute_builtin_or_function ../bash/execute_cmd.c:5107 #18 0x558a215ad11f in execute_simple_command ../bash/execute_cmd.c:4395 #19 0x558a2159af42 in execute_command_internal ../bash/execute_cmd.c:811 #20 0x558a216850f4 in parse_and_execute ../../bash/builtins/evalstring.c:430 #21 0x558a21566401 in run_one_command ../bash/shell.c:1405 #22 0x558a215648da in main ../bash/shell.c:718 #23 0x7f40f33422b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0) SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x3c062) Shadow bytes around the buggy address: 0x0c1a7fff97d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c1a7fff97e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c1a7fff97f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c1a7fff9800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c1a7fff9810: fa fa fa fa fa fa fa fa fa fa 00 00 00 00 00 00 =>0x0c1a7fff9820: 00 00 00 00 00 00 00 00 00 00 00[01]fa fa fa fa 0x0c1a7fff9830: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd 0x0c1a7fff9840: fd fd fd fd fd fd fa fa fa fa fa fa fa fa fd fd 0x0c1a7fff9850: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c1a7fff9860: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd 0x0c1a7fff9870: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==26129==ABORTING (gdb) bt #0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51 #1 0x00007f40f33563fa in __GI_abort () at abort.c:89 #2 0x00007f40f3bc9329 in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.3 #3 0x00007f40f3bbe9ab in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.3 #4 0x00007f40f3bb8b57 in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.3 #5 0x00007f40f3b2a07e in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.3 #6 0x0000558a2174188c in _rl_find_prev_mbchar_internal ( string=0x60d00000c0d0 "(reverse-i-search)`=\372\\\\3\372\356SS輀)\027\374\027\374\027\374\027\374\377:P\356SS輀)\027\374\027\374\027\374\027\374\377:P\356SS輀)\027\374\027\374\027\374\027\374\377:P\356SS輀", '\276' <repeats 52 times>, seed=85, find_non_zero=0) at ../../../bash/lib/readline/mbutil.c:162 #7 0x0000558a2174235d in _rl_find_prev_mbchar ( string=0x60d00000c0d0 "(reverse-i-search)`=\372\\\\3\372\356SS輀)\027\374\027\374\027\374\027\374\377:P\356SS輀)\027\374\027\374\027\374\027\374\377:P\356SS輀)\027\374\027\374\027\374\027\374\377:P\356SS輀", '\276' <repeats 52 times>, seed=85, flags=0) at ../../../bash/lib/readline/mbutil.c:369 #8 0x0000558a21710ca2 in expand_prompt ( pmt=0x60e00000df60 "(reverse-i-search)`=\372\\\\3\372\356SS輀)\027\374\027\374\027\374\027\374\377:P\356SS輀)\027\374\027\374\027\374\027\374\377:P\356SS輀)\027\374\027\374\027\374\027\374\377:P\356SS輀)\027\374\027\374\027\374\027\374\377:P\356SS輀)\027\374\027\374\027\374\027\374\377:P\356SS輀)\027\374\027\374\027\374\027\374\377:P': ", flags=0, lp=0x558a21a06040 <prompt_visible_length>, lip=0x558a21a06100 <prompt_last_invisible>, niflp=0x558a21a06180 <prompt_invis_chars_first_line>, vlp=0x558a21a06200 <prompt_physical_chars>) at ../../../bash/lib/readline/display.c:471 #9 0x0000558a2171c191 in rl_message (format=0x558a2178dc80 "%s") at ../../../bash/lib/readline/display.c:2642 #10 0x0000558a2170a987 in rl_display_search ( search_string=0x60c00000bb00 "=\372\\\\3\372\356SS輀)\027\374\027\374\027\374\027\374\377:P\356SS輀)\027\374\027\374\027\374\027\374\377:P\356SS輀)\027\374\027\374\027\374\027\374\377:P\356SS輀)\027\374\027\374\027\374\027\374\377:P\356SS輀)\027\374\027\374\027\374\027\374\377:P\356SS輀)\027\374\027\374\027\374\027\374\377:P", flags=3, where=-1) at ../../../bash/lib/readline/isearch.c:196 #11 0x0000558a2170fab8 in _rl_isearch_dispatch (cxt=0x60f00000ed70, c=25) at ../../../bash/lib/readline/isearch.c:718 #12 0x0000558a2170fcaf in rl_search_history (direction=-1, invoking_key=18) at ../../../bash/lib/readline/isearch.c:762 #13 0x0000558a2170a7ad in rl_reverse_search_history (sign=1, key=18) at ../../../bash/lib/readline/isearch.c:136 #14 0x0000558a216e030e in _rl_dispatch_subseq (key=18, map=0x558a219e9da0 <emacs_standard_keymap>, got_subseq=0) at ../../../bash/lib/readline/readline.c:851 #15 0x0000558a216dfee9 in _rl_dispatch (key=-214609969, map=0x558a219e9da0 <emacs_standard_keymap>) at ../../../bash/lib/readline/readline.c:797 #16 0x0000558a216df728 in readline_internal_char () at ../../../bash/lib/readline/readline.c:629 #17 0x0000558a216df7ba in readline_internal_charloop () at ../../../bash/lib/readline/readline.c:656 #18 0x0000558a216df7de in readline_internal () at ../../../bash/lib/readline/readline.c:670 #19 0x0000558a216dee94 in readline (prompt=0x558a2177a000 "") at ../../../bash/lib/readline/readline.c:374 #20 0x0000558a2169a137 in edit_line (p=0x558a2177a000 "", itext=0x0) at ../../bash/builtins/../../bash/builtins/read.def:1095 ---Type <return> to continue, or q <return> to quit--- #21 0x0000558a21697aa5 in read_builtin (list=0x0) at ../../bash/builtins/../../bash/builtins/read.def:559 #22 0x0000558a215adc8a in execute_builtin (builtin=0x558a21696013 <read_builtin>, words=0x60200000c630, flags=64, subshell=0) at ../bash/execute_cmd.c:4609 #23 0x0000558a215af8a0 in execute_builtin_or_function (words=0x60200000c630, builtin=0x558a21696013 <read_builtin>, var=0x0, redirects=0x0, fds_to_close=0x60200000c7d0, flags=64) at ../bash/execute_cmd.c:5107 #24 0x0000558a215ad120 in execute_simple_command (simple_command=0x60300000c4f0, pipe_in=-1, pipe_out=-1, async=0, fds_to_close=0x60200000c7d0) at ../bash/execute_cmd.c:4395 #25 0x0000558a2159af43 in execute_command_internal (command=0x60300000c520, asynchronous=0, pipe_in=-1, pipe_out=-1, fds_to_close=0x60200000c7d0) at ../bash/execute_cmd.c:811 #26 0x0000558a216850f5 in parse_and_execute (string=0x60200000c910 "read -e", from_file=0x558a21746120 "-c", flags=4) at ../../bash/builtins/evalstring.c:430 #27 0x0000558a21566402 in run_one_command (command=0x7ffed8a03718 "read -e") at ../bash/shell.c:1405 #28 0x0000558a215648db in main (argc=3, argv=0x7ffed8a018e8, env=0x7ffed8a01908) at ../bash/shell.c:718 (gdb) frame 6 #6 0x0000558a2174188c in _rl_find_prev_mbchar_internal ( string=0x60d00000c0d0 "(reverse-i-search)`=\372\\\\3\372\356SS輀)\027\374\027\374\027\374\027\374\377:P\356SS輀)\027\374\027\374\027\374\027\374\377:P\356SS輀)\027\374\027\374\027\374\027\374\377:P\356SS輀", '\276' <repeats 52 times>, seed=85, find_non_zero=0) at ../../../bash/lib/readline/mbutil.c:162 162 length = strlen(string); -- Eduardo Bustamante https://dualbus.me/