It seems like this is another case of strlen reading too much.
dualbus@debian:~/src/gnu/bash-build$ base64 <
/home/dualbus/bash-fuzzing/read-readline/output/10/crashes/id:000011,sig:06,src:001239+003201,op:splice,rep:2
GwMWF/zuFQAXCxcXFwAD6FNTALwAABAAgCkZGRkZ/zpQFxkZGRkZGRcXIH/6AAD6jlxchDP8GQAB
AFhLYEpLZ0tKOEsQSz0aGgIZGSEZAID/GRkZGRkZS0tXS0tLAAAAAEtLHBMZWmBKS0tLSjhLEEtL
S0tKS0tLSj0+EEtLHBkZGRkZGbS8Ehn/OlAXGRkZGRkZFxcgLA==
dualbus@debian:~/src/gnu/bash-build$
ASAN_OPTIONS=disable_coredump=0:unmap_shadow_on_exit=1:abort_on_error=1 ./bash
-c 'read -e' <
/home/dualbus/bash-fuzzing/read-readline/output/10/crashes/id:000011,sig:06,src:001239+003201,op:splice,rep:2
> /dev/null 2>&1
Aborted (core dumped)
dualbus@debian:~/src/gnu/bash-build$ cat stacktrace
=================================================================
==26129==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60d00000c159 at pc 0x7f40f3b2a063 bp 0x7ffed8a00070 sp 0x7ffed89ff820
READ of size 138 at 0x60d00000c159 thread T0
#0 0x7f40f3b2a062 (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x3c062)
#1 0x558a2174188b in _rl_find_prev_mbchar_internal
../../../bash/lib/readline/mbutil.c:162
#2 0x558a2174235c in _rl_find_prev_mbchar
../../../bash/lib/readline/mbutil.c:369
#3 0x558a21710ca1 in expand_prompt ../../../bash/lib/readline/display.c:471
#4 0x558a2171c190 in rl_message ../../../bash/lib/readline/display.c:2642
#5 0x558a2170a986 in rl_display_search
../../../bash/lib/readline/isearch.c:196
#6 0x558a2170fab7 in _rl_isearch_dispatch
../../../bash/lib/readline/isearch.c:718
#7 0x558a2170fcae in rl_search_history
../../../bash/lib/readline/isearch.c:762
#8 0x558a2170a7ac in rl_reverse_search_history
../../../bash/lib/readline/isearch.c:136
#9 0x558a216e030d in _rl_dispatch_subseq
../../../bash/lib/readline/readline.c:851
#10 0x558a216dfee8 in _rl_dispatch ../../../bash/lib/readline/readline.c:797
#11 0x558a216df727 in readline_internal_char
../../../bash/lib/readline/readline.c:629
#12 0x558a216df7b9 in readline_internal_charloop
../../../bash/lib/readline/readline.c:656
#13 0x558a216df7dd in readline_internal
../../../bash/lib/readline/readline.c:670
#14 0x558a216dee93 in readline ../../../bash/lib/readline/readline.c:374
#15 0x558a2169a136 in edit_line
../../bash/builtins/../../bash/builtins/read.def:1095
#16 0x558a21697aa4 in read_builtin
../../bash/builtins/../../bash/builtins/read.def:559
#17 0x558a215adc89 in execute_builtin ../bash/execute_cmd.c:4609
#18 0x558a215af89f in execute_builtin_or_function ../bash/execute_cmd.c:5107
#19 0x558a215ad11f in execute_simple_command ../bash/execute_cmd.c:4395
#20 0x558a2159af42 in execute_command_internal ../bash/execute_cmd.c:811
#21 0x558a216850f4 in parse_and_execute ../../bash/builtins/evalstring.c:430
#22 0x558a21566401 in run_one_command ../bash/shell.c:1405
#23 0x558a215648da in main ../bash/shell.c:718
#24 0x7f40f33422b0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
#25 0x558a21563749 in _start (/home/dualbus/src/gnu/bash-build/bash+0x7f749)
0x60d00000c159 is located 0 bytes to the right of 137-byte region
[0x60d00000c0d0,0x60d00000c159)
allocated by thread T0 here:
#0 0x7f40f3bafd28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
#1 0x558a21673d95 in xmalloc ../bash/xmalloc.c:112
#2 0x558a21710574 in expand_prompt ../../../bash/lib/readline/display.c:389
#3 0x558a2171c190 in rl_message ../../../bash/lib/readline/display.c:2642
#4 0x558a2170a986 in rl_display_search
../../../bash/lib/readline/isearch.c:196
#5 0x558a2170fab7 in _rl_isearch_dispatch
../../../bash/lib/readline/isearch.c:718
#6 0x558a2170fcae in rl_search_history
../../../bash/lib/readline/isearch.c:762
#7 0x558a2170a7ac in rl_reverse_search_history
../../../bash/lib/readline/isearch.c:136
#8 0x558a216e030d in _rl_dispatch_subseq
../../../bash/lib/readline/readline.c:851
#9 0x558a216dfee8 in _rl_dispatch ../../../bash/lib/readline/readline.c:797
#10 0x558a216df727 in readline_internal_char
../../../bash/lib/readline/readline.c:629
#11 0x558a216df7b9 in readline_internal_charloop
../../../bash/lib/readline/readline.c:656
#12 0x558a216df7dd in readline_internal
../../../bash/lib/readline/readline.c:670
#13 0x558a216dee93 in readline ../../../bash/lib/readline/readline.c:374
#14 0x558a2169a136 in edit_line
../../bash/builtins/../../bash/builtins/read.def:1095
#15 0x558a21697aa4 in read_builtin
../../bash/builtins/../../bash/builtins/read.def:559
#16 0x558a215adc89 in execute_builtin ../bash/execute_cmd.c:4609
#17 0x558a215af89f in execute_builtin_or_function ../bash/execute_cmd.c:5107
#18 0x558a215ad11f in execute_simple_command ../bash/execute_cmd.c:4395
#19 0x558a2159af42 in execute_command_internal ../bash/execute_cmd.c:811
#20 0x558a216850f4 in parse_and_execute ../../bash/builtins/evalstring.c:430
#21 0x558a21566401 in run_one_command ../bash/shell.c:1405
#22 0x558a215648da in main ../bash/shell.c:718
#23 0x7f40f33422b0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
SUMMARY: AddressSanitizer: heap-buffer-overflow
(/usr/lib/x86_64-linux-gnu/libasan.so.3+0x3c062)
Shadow bytes around the buggy address:
0x0c1a7fff97d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1a7fff97e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1a7fff97f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1a7fff9800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1a7fff9810: fa fa fa fa fa fa fa fa fa fa 00 00 00 00 00 00
=>0x0c1a7fff9820: 00 00 00 00 00 00 00 00 00 00 00[01]fa fa fa fa
0x0c1a7fff9830: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x0c1a7fff9840: fd fd fd fd fd fd fa fa fa fa fa fa fa fa fd fd
0x0c1a7fff9850: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c1a7fff9860: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c1a7fff9870: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==26129==ABORTING
(gdb) bt
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1 0x00007f40f33563fa in __GI_abort () at abort.c:89
#2 0x00007f40f3bc9329 in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.3
#3 0x00007f40f3bbe9ab in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.3
#4 0x00007f40f3bb8b57 in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.3
#5 0x00007f40f3b2a07e in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.3
#6 0x0000558a2174188c in _rl_find_prev_mbchar_internal (
string=0x60d00000c0d0
"(reverse-i-search)`=\372\\\\3\372\356SS輀)\027\374\027\374\027\374\027\374\377:P\356SS輀)\027\374\027\374\027\374\027\374\377:P\356SS輀)\027\374\027\374\027\374\027\374\377:P\356SS輀",
'\276' <repeats 52 times>, seed=85,
find_non_zero=0) at ../../../bash/lib/readline/mbutil.c:162
#7 0x0000558a2174235d in _rl_find_prev_mbchar (
string=0x60d00000c0d0
"(reverse-i-search)`=\372\\\\3\372\356SS輀)\027\374\027\374\027\374\027\374\377:P\356SS輀)\027\374\027\374\027\374\027\374\377:P\356SS輀)\027\374\027\374\027\374\027\374\377:P\356SS輀",
'\276' <repeats 52 times>, seed=85, flags=0)
at ../../../bash/lib/readline/mbutil.c:369
#8 0x0000558a21710ca2 in expand_prompt (
pmt=0x60e00000df60
"(reverse-i-search)`=\372\\\\3\372\356SS輀)\027\374\027\374\027\374\027\374\377:P\356SS輀)\027\374\027\374\027\374\027\374\377:P\356SS輀)\027\374\027\374\027\374\027\374\377:P\356SS輀)\027\374\027\374\027\374\027\374\377:P\356SS輀)\027\374\027\374\027\374\027\374\377:P\356SS輀)\027\374\027\374\027\374\027\374\377:P':
", flags=0,
lp=0x558a21a06040 <prompt_visible_length>, lip=0x558a21a06100
<prompt_last_invisible>,
niflp=0x558a21a06180 <prompt_invis_chars_first_line>, vlp=0x558a21a06200
<prompt_physical_chars>)
at ../../../bash/lib/readline/display.c:471
#9 0x0000558a2171c191 in rl_message (format=0x558a2178dc80 "%s") at
../../../bash/lib/readline/display.c:2642
#10 0x0000558a2170a987 in rl_display_search (
search_string=0x60c00000bb00
"=\372\\\\3\372\356SS輀)\027\374\027\374\027\374\027\374\377:P\356SS輀)\027\374\027\374\027\374\027\374\377:P\356SS輀)\027\374\027\374\027\374\027\374\377:P\356SS輀)\027\374\027\374\027\374\027\374\377:P\356SS輀)\027\374\027\374\027\374\027\374\377:P\356SS輀)\027\374\027\374\027\374\027\374\377:P",
flags=3, where=-1) at ../../../bash/lib/readline/isearch.c:196
#11 0x0000558a2170fab8 in _rl_isearch_dispatch (cxt=0x60f00000ed70, c=25) at
../../../bash/lib/readline/isearch.c:718
#12 0x0000558a2170fcaf in rl_search_history (direction=-1, invoking_key=18) at
../../../bash/lib/readline/isearch.c:762
#13 0x0000558a2170a7ad in rl_reverse_search_history (sign=1, key=18) at
../../../bash/lib/readline/isearch.c:136
#14 0x0000558a216e030e in _rl_dispatch_subseq (key=18, map=0x558a219e9da0
<emacs_standard_keymap>, got_subseq=0)
at ../../../bash/lib/readline/readline.c:851
#15 0x0000558a216dfee9 in _rl_dispatch (key=-214609969, map=0x558a219e9da0
<emacs_standard_keymap>)
at ../../../bash/lib/readline/readline.c:797
#16 0x0000558a216df728 in readline_internal_char () at
../../../bash/lib/readline/readline.c:629
#17 0x0000558a216df7ba in readline_internal_charloop () at
../../../bash/lib/readline/readline.c:656
#18 0x0000558a216df7de in readline_internal () at
../../../bash/lib/readline/readline.c:670
#19 0x0000558a216dee94 in readline (prompt=0x558a2177a000 "") at
../../../bash/lib/readline/readline.c:374
#20 0x0000558a2169a137 in edit_line (p=0x558a2177a000 "", itext=0x0) at
../../bash/builtins/../../bash/builtins/read.def:1095
---Type <return> to continue, or q <return> to quit---
#21 0x0000558a21697aa5 in read_builtin (list=0x0) at
../../bash/builtins/../../bash/builtins/read.def:559
#22 0x0000558a215adc8a in execute_builtin (builtin=0x558a21696013
<read_builtin>, words=0x60200000c630, flags=64, subshell=0)
at ../bash/execute_cmd.c:4609
#23 0x0000558a215af8a0 in execute_builtin_or_function (words=0x60200000c630,
builtin=0x558a21696013 <read_builtin>, var=0x0,
redirects=0x0, fds_to_close=0x60200000c7d0, flags=64) at
../bash/execute_cmd.c:5107
#24 0x0000558a215ad120 in execute_simple_command
(simple_command=0x60300000c4f0, pipe_in=-1, pipe_out=-1, async=0,
fds_to_close=0x60200000c7d0) at ../bash/execute_cmd.c:4395
#25 0x0000558a2159af43 in execute_command_internal (command=0x60300000c520,
asynchronous=0, pipe_in=-1, pipe_out=-1,
fds_to_close=0x60200000c7d0) at ../bash/execute_cmd.c:811
#26 0x0000558a216850f5 in parse_and_execute (string=0x60200000c910 "read -e",
from_file=0x558a21746120 "-c", flags=4)
at ../../bash/builtins/evalstring.c:430
#27 0x0000558a21566402 in run_one_command (command=0x7ffed8a03718 "read -e") at
../bash/shell.c:1405
#28 0x0000558a215648db in main (argc=3, argv=0x7ffed8a018e8,
env=0x7ffed8a01908) at ../bash/shell.c:718
(gdb) frame 6
#6 0x0000558a2174188c in _rl_find_prev_mbchar_internal (
string=0x60d00000c0d0
"(reverse-i-search)`=\372\\\\3\372\356SS輀)\027\374\027\374\027\374\027\374\377:P\356SS輀)\027\374\027\374\027\374\027\374\377:P\356SS輀)\027\374\027\374\027\374\027\374\377:P\356SS輀",
'\276' <repeats 52 times>, seed=85,
find_non_zero=0) at ../../../bash/lib/readline/mbutil.c:162
162 length = strlen(string);
--
Eduardo Bustamante
https://dualbus.me/
