Found by fuzzing `read -e' with AFL. The stacktrace reported by Address
Sanitizer is followed by the base64 encoded crashing input.
==7938==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60c00000bd00
at pc 0x55ae5ef673f0 bp 0x7ffd16140ec0 sp 0x7ffd16140eb8
WRITE of size 1 at 0x60c00000bd00 thread T0
#0 0x55ae5ef673ef in string_extract_double_quoted
(/home/dualbus/src/gnu/bash-build/bash+0x1023ef)
#1 0x55ae5ef999e7 in expand_word_internal
(/home/dualbus/src/gnu/bash-build/bash+0x1349e7)
#2 0x55ae5ef784f3 in call_expand_word_internal
(/home/dualbus/src/gnu/bash-build/bash+0x1134f3)
#3 0x55ae5ef79458 in expand_word
(/home/dualbus/src/gnu/bash-build/bash+0x114458)
#4 0x55ae5efdaed3 in shell_expand_line
(/home/dualbus/src/gnu/bash-build/bash+0x175ed3)
#5 0x55ae5f06130d in _rl_dispatch_subseq
(/home/dualbus/src/gnu/bash-build/bash+0x1fc30d)
#6 0x55ae5f061aef in _rl_dispatch_subseq
(/home/dualbus/src/gnu/bash-build/bash+0x1fcaef)
#7 0x55ae5f060ee8 in _rl_dispatch
(/home/dualbus/src/gnu/bash-build/bash+0x1fbee8)
#8 0x55ae5f060727 in readline_internal_char
(/home/dualbus/src/gnu/bash-build/bash+0x1fb727)
#9 0x55ae5f0607b9 in readline_internal_charloop
(/home/dualbus/src/gnu/bash-build/bash+0x1fb7b9)
#10 0x55ae5f0607dd in readline_internal
(/home/dualbus/src/gnu/bash-build/bash+0x1fb7dd)
#11 0x55ae5f05fe93 in readline
(/home/dualbus/src/gnu/bash-build/bash+0x1fae93)
#12 0x55ae5f01b136 in edit_line
(/home/dualbus/src/gnu/bash-build/bash+0x1b6136)
#13 0x55ae5f018aa4 in read_builtin
(/home/dualbus/src/gnu/bash-build/bash+0x1b3aa4)
#14 0x55ae5ef2ec89 in execute_builtin
(/home/dualbus/src/gnu/bash-build/bash+0xc9c89)
#15 0x55ae5ef3089f in execute_builtin_or_function
(/home/dualbus/src/gnu/bash-build/bash+0xcb89f)
#16 0x55ae5ef2e11f in execute_simple_command
(/home/dualbus/src/gnu/bash-build/bash+0xc911f)
#17 0x55ae5ef1bf42 in execute_command_internal
(/home/dualbus/src/gnu/bash-build/bash+0xb6f42)
#18 0x55ae5ef2482e in execute_connection
(/home/dualbus/src/gnu/bash-build/bash+0xbf82e)
#19 0x55ae5ef1cd17 in execute_command_internal
(/home/dualbus/src/gnu/bash-build/bash+0xb7d17)
#20 0x55ae5f0060f4 in parse_and_execute
(/home/dualbus/src/gnu/bash-build/bash+0x1a10f4)
#21 0x55ae5eee7401 in run_one_command
(/home/dualbus/src/gnu/bash-build/bash+0x82401)
#22 0x55ae5eee58da in main (/home/dualbus/src/gnu/bash-build/bash+0x808da)
#23 0x7fd2fbb0c2b0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
#24 0x55ae5eee4749 in _start (/home/dualbus/src/gnu/bash-build/bash+0x7f749)
0x60c00000bd00 is located 0 bytes to the right of 128-byte region
[0x60c00000bc80,0x60c00000bd00)
allocated by thread T0 here:
#0 0x7fd2fc379d28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
#1 0x55ae5eff4d95 in xmalloc
(/home/dualbus/src/gnu/bash-build/bash+0x18fd95)
#2 0x55ae5ef668d7 in string_extract_double_quoted
(/home/dualbus/src/gnu/bash-build/bash+0x1018d7)
#3 0x55ae5ef999e7 in expand_word_internal
(/home/dualbus/src/gnu/bash-build/bash+0x1349e7)
#4 0x55ae5ef784f3 in call_expand_word_internal
(/home/dualbus/src/gnu/bash-build/bash+0x1134f3)
#5 0x55ae5ef79458 in expand_word
(/home/dualbus/src/gnu/bash-build/bash+0x114458)
#6 0x55ae5efdaed3 in shell_expand_line
(/home/dualbus/src/gnu/bash-build/bash+0x175ed3)
#7 0x55ae5f06130d in _rl_dispatch_subseq
(/home/dualbus/src/gnu/bash-build/bash+0x1fc30d)
#8 0x55ae5f061aef in _rl_dispatch_subseq
(/home/dualbus/src/gnu/bash-build/bash+0x1fcaef)
#9 0x55ae5f060ee8 in _rl_dispatch
(/home/dualbus/src/gnu/bash-build/bash+0x1fbee8)
#10 0x55ae5f060727 in readline_internal_char
(/home/dualbus/src/gnu/bash-build/bash+0x1fb727)
#11 0x55ae5f0607b9 in readline_internal_charloop
(/home/dualbus/src/gnu/bash-build/bash+0x1fb7b9)
#12 0x55ae5f0607dd in readline_internal
(/home/dualbus/src/gnu/bash-build/bash+0x1fb7dd)
#13 0x55ae5f05fe93 in readline
(/home/dualbus/src/gnu/bash-build/bash+0x1fae93)
#14 0x55ae5f01b136 in edit_line
(/home/dualbus/src/gnu/bash-build/bash+0x1b6136)
#15 0x55ae5f018aa4 in read_builtin
(/home/dualbus/src/gnu/bash-build/bash+0x1b3aa4)
#16 0x55ae5ef2ec89 in execute_builtin
(/home/dualbus/src/gnu/bash-build/bash+0xc9c89)
#17 0x55ae5ef3089f in execute_builtin_or_function
(/home/dualbus/src/gnu/bash-build/bash+0xcb89f)
#18 0x55ae5ef2e11f in execute_simple_command
(/home/dualbus/src/gnu/bash-build/bash+0xc911f)
#19 0x55ae5ef1bf42 in execute_command_internal
(/home/dualbus/src/gnu/bash-build/bash+0xb6f42)
#20 0x55ae5ef2482e in execute_connection
(/home/dualbus/src/gnu/bash-build/bash+0xbf82e)
#21 0x55ae5ef1cd17 in execute_command_internal
(/home/dualbus/src/gnu/bash-build/bash+0xb7d17)
#22 0x55ae5f0060f4 in parse_and_execute
(/home/dualbus/src/gnu/bash-build/bash+0x1a10f4)
#23 0x55ae5eee7401 in run_one_command
(/home/dualbus/src/gnu/bash-build/bash+0x82401)
#24 0x55ae5eee58da in main (/home/dualbus/src/gnu/bash-build/bash+0x808da)
#25 0x7fd2fbb0c2b0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
SUMMARY: AddressSanitizer: heap-buffer-overflow
(/home/dualbus/src/gnu/bash-build/bash+0x1023ef) in string_extract_double_quoted
Shadow bytes around the buggy address:
0x0c187fff9750: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187fff9760: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187fff9770: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187fff9780: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187fff9790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c187fff97a0:[fa]fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c187fff97b0: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
0x0c187fff97c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 fa
0x0c187fff97d0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c187fff97e0: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
0x0c187fff97f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==7938==ABORTING
INPUT
suo/7TeANzc3Nzc0LDc2NoAAGwo3NxstSjcbLTQYf/82NjY2NjY2ADz/MxB/PP8qJCgoHi0pKT4p
AP8p/AD/KiRXV/8AfwB0joMASKAAPIAkKAABmJiYkpj09PT0mEr/mJiYmJiYmJiYmAB/mACARACr
AAKOPBkQADz/LiRDnZ42GVZ/////7z8oKCgH7OupKQCAKSkA/ygoACEoGyzr66uAqyE88PDw8AD/
MxDwARB/Sv8qJCgoHikpKT4pAP8AEAD8COhX/wB9xEAi+wEAAZh9mJKY9AADhARAf9obBQ==
==20067==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60400000767a at pc 0x5587995ef3f0 bp 0x7fffa1979d60 sp 0x7fffa1979d58
WRITE of size 1 at 0x60400000767a thread T0
#0 0x5587995ef3ef in string_extract_double_quoted
(/home/dualbus/src/gnu/bash-build/bash+0x1023ef)
#1 0x5587996219e7 in expand_word_internal
(/home/dualbus/src/gnu/bash-build/bash+0x1349e7)
#2 0x5587996004f3 in call_expand_word_internal
(/home/dualbus/src/gnu/bash-build/bash+0x1134f3)
#3 0x558799601458 in expand_word
(/home/dualbus/src/gnu/bash-build/bash+0x114458)
#4 0x558799662ed3 in shell_expand_line
(/home/dualbus/src/gnu/bash-build/bash+0x175ed3)
#5 0x5587996e930d in _rl_dispatch_subseq
(/home/dualbus/src/gnu/bash-build/bash+0x1fc30d)
#6 0x5587996e9aef in _rl_dispatch_subseq
(/home/dualbus/src/gnu/bash-build/bash+0x1fcaef)
#7 0x5587996e8ee8 in _rl_dispatch
(/home/dualbus/src/gnu/bash-build/bash+0x1fbee8)
#8 0x5587996e8727 in readline_internal_char
(/home/dualbus/src/gnu/bash-build/bash+0x1fb727)
#9 0x5587996e87b9 in readline_internal_charloop
(/home/dualbus/src/gnu/bash-build/bash+0x1fb7b9)
#10 0x5587996e87dd in readline_internal
(/home/dualbus/src/gnu/bash-build/bash+0x1fb7dd)
#11 0x5587996e7e93 in readline
(/home/dualbus/src/gnu/bash-build/bash+0x1fae93)
#12 0x5587996a3136 in edit_line
(/home/dualbus/src/gnu/bash-build/bash+0x1b6136)
#13 0x5587996a0aa4 in read_builtin
(/home/dualbus/src/gnu/bash-build/bash+0x1b3aa4)
#14 0x5587995b6c89 in execute_builtin
(/home/dualbus/src/gnu/bash-build/bash+0xc9c89)
#15 0x5587995b889f in execute_builtin_or_function
(/home/dualbus/src/gnu/bash-build/bash+0xcb89f)
#16 0x5587995b611f in execute_simple_command
(/home/dualbus/src/gnu/bash-build/bash+0xc911f)
#17 0x5587995a3f42 in execute_command_internal
(/home/dualbus/src/gnu/bash-build/bash+0xb6f42)
#18 0x5587995ac82e in execute_connection
(/home/dualbus/src/gnu/bash-build/bash+0xbf82e)
#19 0x5587995a4d17 in execute_command_internal
(/home/dualbus/src/gnu/bash-build/bash+0xb7d17)
#20 0x55879968e0f4 in parse_and_execute
(/home/dualbus/src/gnu/bash-build/bash+0x1a10f4)
#21 0x55879956f401 in run_one_command
(/home/dualbus/src/gnu/bash-build/bash+0x82401)
#22 0x55879956d8da in main (/home/dualbus/src/gnu/bash-build/bash+0x808da)
#23 0x7f1f493702b0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
#24 0x55879956c749 in _start (/home/dualbus/src/gnu/bash-build/bash+0x7f749)
0x60400000767a is located 0 bytes to the right of 42-byte region
[0x604000007650,0x60400000767a)
allocated by thread T0 here:
#0 0x7f1f49bddd28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
#1 0x55879967cd95 in xmalloc
(/home/dualbus/src/gnu/bash-build/bash+0x18fd95)
#2 0x5587995ee8d7 in string_extract_double_quoted
(/home/dualbus/src/gnu/bash-build/bash+0x1018d7)
#3 0x5587996219e7 in expand_word_internal
(/home/dualbus/src/gnu/bash-build/bash+0x1349e7)
#4 0x5587996004f3 in call_expand_word_internal
(/home/dualbus/src/gnu/bash-build/bash+0x1134f3)
#5 0x558799601458 in expand_word
(/home/dualbus/src/gnu/bash-build/bash+0x114458)
#6 0x558799662ed3 in shell_expand_line
(/home/dualbus/src/gnu/bash-build/bash+0x175ed3)
#7 0x5587996e930d in _rl_dispatch_subseq
(/home/dualbus/src/gnu/bash-build/bash+0x1fc30d)
#8 0x5587996e9aef in _rl_dispatch_subseq
(/home/dualbus/src/gnu/bash-build/bash+0x1fcaef)
#9 0x5587996e8ee8 in _rl_dispatch
(/home/dualbus/src/gnu/bash-build/bash+0x1fbee8)
#10 0x5587996e8727 in readline_internal_char
(/home/dualbus/src/gnu/bash-build/bash+0x1fb727)
#11 0x5587996e87b9 in readline_internal_charloop
(/home/dualbus/src/gnu/bash-build/bash+0x1fb7b9)
#12 0x5587996e87dd in readline_internal
(/home/dualbus/src/gnu/bash-build/bash+0x1fb7dd)
#13 0x5587996e7e93 in readline
(/home/dualbus/src/gnu/bash-build/bash+0x1fae93)
#14 0x5587996a3136 in edit_line
(/home/dualbus/src/gnu/bash-build/bash+0x1b6136)
#15 0x5587996a0aa4 in read_builtin
(/home/dualbus/src/gnu/bash-build/bash+0x1b3aa4)
#16 0x5587995b6c89 in execute_builtin
(/home/dualbus/src/gnu/bash-build/bash+0xc9c89)
#17 0x5587995b889f in execute_builtin_or_function
(/home/dualbus/src/gnu/bash-build/bash+0xcb89f)
#18 0x5587995b611f in execute_simple_command
(/home/dualbus/src/gnu/bash-build/bash+0xc911f)
#19 0x5587995a3f42 in execute_command_internal
(/home/dualbus/src/gnu/bash-build/bash+0xb6f42)
#20 0x5587995ac82e in execute_connection
(/home/dualbus/src/gnu/bash-build/bash+0xbf82e)
#21 0x5587995a4d17 in execute_command_internal
(/home/dualbus/src/gnu/bash-build/bash+0xb7d17)
#22 0x55879968e0f4 in parse_and_execute
(/home/dualbus/src/gnu/bash-build/bash+0x1a10f4)
#23 0x55879956f401 in run_one_command
(/home/dualbus/src/gnu/bash-build/bash+0x82401)
#24 0x55879956d8da in main (/home/dualbus/src/gnu/bash-build/bash+0x808da)
#25 0x7f1f493702b0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
SUMMARY: AddressSanitizer: heap-buffer-overflow
(/home/dualbus/src/gnu/bash-build/bash+0x1023ef) in string_extract_double_quoted
Shadow bytes around the buggy address:
0x0c087fff8e70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff8e80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff8e90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff8ea0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff8eb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c087fff8ec0: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00[02]
0x0c087fff8ed0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fd
0x0c087fff8ee0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
0x0c087fff8ef0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
0x0c087fff8f00: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
0x0c087fff8f10: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==20067==ABORTING
INPUT
Gz3uP0hlSCZIA5AAEAAACz09WD45OBo8STweNTwAAAEoGQD/GAAbpqempqamXiRbHlUAAQAEABkb
Dhs2PEwBPzwlADw8bhk8HjwAAQAFAF1NXV1FXSrxXWALgYDvAGAEKyRbHlUAsV4kWx5VAAEABAAZ
BFVVVVVVVW5VNxsClhT//xSWkBsk+gkDVSIFGxsgGyQbZB8QAAAJCQkJBAkJCQkqAKEUAnwCG1QA
lf3//+9/AKEA6ip//xsAAIDplBQbAnRTJCcaAi8uCQkJBQAAECAJCQMJBAkJCQkqAKEUAnwCG1Qk
KAAAAeAvFJZkAAAAKgCXFAL//wXeGwU=
==21184==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60300000ba2b at pc 0x55cb10a913f0 bp 0x7ffed66d10c0 sp 0x7ffed66d10b8
WRITE of size 1 at 0x60300000ba2b thread T0
#0 0x55cb10a913ef in string_extract_double_quoted
(/home/dualbus/src/gnu/bash-build/bash+0x1023ef)
#1 0x55cb10ac39e7 in expand_word_internal
(/home/dualbus/src/gnu/bash-build/bash+0x1349e7)
#2 0x55cb10aa24f3 in call_expand_word_internal
(/home/dualbus/src/gnu/bash-build/bash+0x1134f3)
#3 0x55cb10aa3458 in expand_word
(/home/dualbus/src/gnu/bash-build/bash+0x114458)
#4 0x55cb10b04ed3 in shell_expand_line
(/home/dualbus/src/gnu/bash-build/bash+0x175ed3)
#5 0x55cb10b8b30d in _rl_dispatch_subseq
(/home/dualbus/src/gnu/bash-build/bash+0x1fc30d)
#6 0x55cb10b8baef in _rl_dispatch_subseq
(/home/dualbus/src/gnu/bash-build/bash+0x1fcaef)
#7 0x55cb10b8aee8 in _rl_dispatch
(/home/dualbus/src/gnu/bash-build/bash+0x1fbee8)
#8 0x55cb10b8a727 in readline_internal_char
(/home/dualbus/src/gnu/bash-build/bash+0x1fb727)
#9 0x55cb10b8a7b9 in readline_internal_charloop
(/home/dualbus/src/gnu/bash-build/bash+0x1fb7b9)
#10 0x55cb10b8a7dd in readline_internal
(/home/dualbus/src/gnu/bash-build/bash+0x1fb7dd)
#11 0x55cb10b89e93 in readline
(/home/dualbus/src/gnu/bash-build/bash+0x1fae93)
#12 0x55cb10b45136 in edit_line
(/home/dualbus/src/gnu/bash-build/bash+0x1b6136)
#13 0x55cb10b42aa4 in read_builtin
(/home/dualbus/src/gnu/bash-build/bash+0x1b3aa4)
#14 0x55cb10a58c89 in execute_builtin
(/home/dualbus/src/gnu/bash-build/bash+0xc9c89)
#15 0x55cb10a5a89f in execute_builtin_or_function
(/home/dualbus/src/gnu/bash-build/bash+0xcb89f)
#16 0x55cb10a5811f in execute_simple_command
(/home/dualbus/src/gnu/bash-build/bash+0xc911f)
#17 0x55cb10a45f42 in execute_command_internal
(/home/dualbus/src/gnu/bash-build/bash+0xb6f42)
#18 0x55cb10a4e82e in execute_connection
(/home/dualbus/src/gnu/bash-build/bash+0xbf82e)
#19 0x55cb10a46d17 in execute_command_internal
(/home/dualbus/src/gnu/bash-build/bash+0xb7d17)
#20 0x55cb10b300f4 in parse_and_execute
(/home/dualbus/src/gnu/bash-build/bash+0x1a10f4)
#21 0x55cb10a11401 in run_one_command
(/home/dualbus/src/gnu/bash-build/bash+0x82401)
#22 0x55cb10a0f8da in main (/home/dualbus/src/gnu/bash-build/bash+0x808da)
#23 0x7fdf1e9ad2b0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
#24 0x55cb10a0e749 in _start (/home/dualbus/src/gnu/bash-build/bash+0x7f749)
0x60300000ba2b is located 0 bytes to the right of 27-byte region
[0x60300000ba10,0x60300000ba2b)
allocated by thread T0 here:
#0 0x7fdf1f21ad28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
#1 0x55cb10b1ed95 in xmalloc
(/home/dualbus/src/gnu/bash-build/bash+0x18fd95)
#2 0x55cb10a908d7 in string_extract_double_quoted
(/home/dualbus/src/gnu/bash-build/bash+0x1018d7)
#3 0x55cb10ac39e7 in expand_word_internal
(/home/dualbus/src/gnu/bash-build/bash+0x1349e7)
#4 0x55cb10aa24f3 in call_expand_word_internal
(/home/dualbus/src/gnu/bash-build/bash+0x1134f3)
#5 0x55cb10aa3458 in expand_word
(/home/dualbus/src/gnu/bash-build/bash+0x114458)
#6 0x55cb10b04ed3 in shell_expand_line
(/home/dualbus/src/gnu/bash-build/bash+0x175ed3)
#7 0x55cb10b8b30d in _rl_dispatch_subseq
(/home/dualbus/src/gnu/bash-build/bash+0x1fc30d)
#8 0x55cb10b8baef in _rl_dispatch_subseq
(/home/dualbus/src/gnu/bash-build/bash+0x1fcaef)
#9 0x55cb10b8aee8 in _rl_dispatch
(/home/dualbus/src/gnu/bash-build/bash+0x1fbee8)
#10 0x55cb10b8a727 in readline_internal_char
(/home/dualbus/src/gnu/bash-build/bash+0x1fb727)
#11 0x55cb10b8a7b9 in readline_internal_charloop
(/home/dualbus/src/gnu/bash-build/bash+0x1fb7b9)
#12 0x55cb10b8a7dd in readline_internal
(/home/dualbus/src/gnu/bash-build/bash+0x1fb7dd)
#13 0x55cb10b89e93 in readline
(/home/dualbus/src/gnu/bash-build/bash+0x1fae93)
#14 0x55cb10b45136 in edit_line
(/home/dualbus/src/gnu/bash-build/bash+0x1b6136)
#15 0x55cb10b42aa4 in read_builtin
(/home/dualbus/src/gnu/bash-build/bash+0x1b3aa4)
#16 0x55cb10a58c89 in execute_builtin
(/home/dualbus/src/gnu/bash-build/bash+0xc9c89)
#17 0x55cb10a5a89f in execute_builtin_or_function
(/home/dualbus/src/gnu/bash-build/bash+0xcb89f)
#18 0x55cb10a5811f in execute_simple_command
(/home/dualbus/src/gnu/bash-build/bash+0xc911f)
#19 0x55cb10a45f42 in execute_command_internal
(/home/dualbus/src/gnu/bash-build/bash+0xb6f42)
#20 0x55cb10a4e82e in execute_connection
(/home/dualbus/src/gnu/bash-build/bash+0xbf82e)
#21 0x55cb10a46d17 in execute_command_internal
(/home/dualbus/src/gnu/bash-build/bash+0xb7d17)
#22 0x55cb10b300f4 in parse_and_execute
(/home/dualbus/src/gnu/bash-build/bash+0x1a10f4)
#23 0x55cb10a11401 in run_one_command
(/home/dualbus/src/gnu/bash-build/bash+0x82401)
#24 0x55cb10a0f8da in main (/home/dualbus/src/gnu/bash-build/bash+0x808da)
#25 0x7fdf1e9ad2b0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
SUMMARY: AddressSanitizer: heap-buffer-overflow
(/home/dualbus/src/gnu/bash-build/bash+0x1023ef) in string_extract_double_quoted
Shadow bytes around the buggy address:
0x0c067fff96f0: 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
0x0c067fff9700: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00
0x0c067fff9710: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00
0x0c067fff9720: 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
0x0c067fff9730: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00
=>0x0c067fff9740: fa fa 00 00 00[03]fa fa 00 00 00 00 fa fa 00 00
0x0c067fff9750: 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
0x0c067fff9760: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00
0x0c067fff9770: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00
0x0c067fff9780: 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
0x0c067fff9790: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==21184==ABORTING
INPUT
EAMYNQIqDhshFszM/cBA///YV8zMdQAAABAAACIAzNjMzK3MzX+rAEBcXFxcJCQoAAIAght/f39/
f11/XH9/f39/f39/fvyAXJhcXFxcXMzMderMkQAAAAAiAMzYzHnMyM1cXFxcXFRcXFwAXFxcXFwk
JBsFAAsiAMzYzMzMzM1cXFxcXFRcXH0AXFxcXFwkJBsF
==22415==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60f00000ef03 at pc 0x55db38a9d3f0 bp 0x7ffce85934f0 sp 0x7ffce85934e8
WRITE of size 1 at 0x60f00000ef03 thread T0
#0 0x55db38a9d3ef in string_extract_double_quoted
(/home/dualbus/src/gnu/bash-build/bash+0x1023ef)
#1 0x55db38acf9e7 in expand_word_internal
(/home/dualbus/src/gnu/bash-build/bash+0x1349e7)
#2 0x55db38aae4f3 in call_expand_word_internal
(/home/dualbus/src/gnu/bash-build/bash+0x1134f3)
#3 0x55db38aaf458 in expand_word
(/home/dualbus/src/gnu/bash-build/bash+0x114458)
#4 0x55db38b10ed3 in shell_expand_line
(/home/dualbus/src/gnu/bash-build/bash+0x175ed3)
#5 0x55db38b9730d in _rl_dispatch_subseq
(/home/dualbus/src/gnu/bash-build/bash+0x1fc30d)
#6 0x55db38b97aef in _rl_dispatch_subseq
(/home/dualbus/src/gnu/bash-build/bash+0x1fcaef)
#7 0x55db38b96ee8 in _rl_dispatch
(/home/dualbus/src/gnu/bash-build/bash+0x1fbee8)
#8 0x55db38b96727 in readline_internal_char
(/home/dualbus/src/gnu/bash-build/bash+0x1fb727)
#9 0x55db38b967b9 in readline_internal_charloop
(/home/dualbus/src/gnu/bash-build/bash+0x1fb7b9)
#10 0x55db38b967dd in readline_internal
(/home/dualbus/src/gnu/bash-build/bash+0x1fb7dd)
#11 0x55db38b95e93 in readline
(/home/dualbus/src/gnu/bash-build/bash+0x1fae93)
#12 0x55db38b51136 in edit_line
(/home/dualbus/src/gnu/bash-build/bash+0x1b6136)
#13 0x55db38b4eaa4 in read_builtin
(/home/dualbus/src/gnu/bash-build/bash+0x1b3aa4)
#14 0x55db38a64c89 in execute_builtin
(/home/dualbus/src/gnu/bash-build/bash+0xc9c89)
#15 0x55db38a6689f in execute_builtin_or_function
(/home/dualbus/src/gnu/bash-build/bash+0xcb89f)
#16 0x55db38a6411f in execute_simple_command
(/home/dualbus/src/gnu/bash-build/bash+0xc911f)
#17 0x55db38a51f42 in execute_command_internal
(/home/dualbus/src/gnu/bash-build/bash+0xb6f42)
#18 0x55db38a5a82e in execute_connection
(/home/dualbus/src/gnu/bash-build/bash+0xbf82e)
#19 0x55db38a52d17 in execute_command_internal
(/home/dualbus/src/gnu/bash-build/bash+0xb7d17)
#20 0x55db38b3c0f4 in parse_and_execute
(/home/dualbus/src/gnu/bash-build/bash+0x1a10f4)
#21 0x55db38a1d401 in run_one_command
(/home/dualbus/src/gnu/bash-build/bash+0x82401)
#22 0x55db38a1b8da in main (/home/dualbus/src/gnu/bash-build/bash+0x808da)
#23 0x7f7fff6e62b0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
#24 0x55db38a1a749 in _start (/home/dualbus/src/gnu/bash-build/bash+0x7f749)
0x60f00000ef03 is located 0 bytes to the right of 163-byte region
[0x60f00000ee60,0x60f00000ef03)
allocated by thread T0 here:
#0 0x7f7ffff53d28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
#1 0x55db38b2ad95 in xmalloc
(/home/dualbus/src/gnu/bash-build/bash+0x18fd95)
#2 0x55db38a9c8d7 in string_extract_double_quoted
(/home/dualbus/src/gnu/bash-build/bash+0x1018d7)
#3 0x55db38acf9e7 in expand_word_internal
(/home/dualbus/src/gnu/bash-build/bash+0x1349e7)
#4 0x55db38aae4f3 in call_expand_word_internal
(/home/dualbus/src/gnu/bash-build/bash+0x1134f3)
#5 0x55db38aaf458 in expand_word
(/home/dualbus/src/gnu/bash-build/bash+0x114458)
#6 0x55db38b10ed3 in shell_expand_line
(/home/dualbus/src/gnu/bash-build/bash+0x175ed3)
#7 0x55db38b9730d in _rl_dispatch_subseq
(/home/dualbus/src/gnu/bash-build/bash+0x1fc30d)
#8 0x55db38b97aef in _rl_dispatch_subseq
(/home/dualbus/src/gnu/bash-build/bash+0x1fcaef)
#9 0x55db38b96ee8 in _rl_dispatch
(/home/dualbus/src/gnu/bash-build/bash+0x1fbee8)
#10 0x55db38b96727 in readline_internal_char
(/home/dualbus/src/gnu/bash-build/bash+0x1fb727)
#11 0x55db38b967b9 in readline_internal_charloop
(/home/dualbus/src/gnu/bash-build/bash+0x1fb7b9)
#12 0x55db38b967dd in readline_internal
(/home/dualbus/src/gnu/bash-build/bash+0x1fb7dd)
#13 0x55db38b95e93 in readline
(/home/dualbus/src/gnu/bash-build/bash+0x1fae93)
#14 0x55db38b51136 in edit_line
(/home/dualbus/src/gnu/bash-build/bash+0x1b6136)
#15 0x55db38b4eaa4 in read_builtin
(/home/dualbus/src/gnu/bash-build/bash+0x1b3aa4)
#16 0x55db38a64c89 in execute_builtin
(/home/dualbus/src/gnu/bash-build/bash+0xc9c89)
#17 0x55db38a6689f in execute_builtin_or_function
(/home/dualbus/src/gnu/bash-build/bash+0xcb89f)
#18 0x55db38a6411f in execute_simple_command
(/home/dualbus/src/gnu/bash-build/bash+0xc911f)
#19 0x55db38a51f42 in execute_command_internal
(/home/dualbus/src/gnu/bash-build/bash+0xb6f42)
#20 0x55db38a5a82e in execute_connection
(/home/dualbus/src/gnu/bash-build/bash+0xbf82e)
#21 0x55db38a52d17 in execute_command_internal
(/home/dualbus/src/gnu/bash-build/bash+0xb7d17)
#22 0x55db38b3c0f4 in parse_and_execute
(/home/dualbus/src/gnu/bash-build/bash+0x1a10f4)
#23 0x55db38a1d401 in run_one_command
(/home/dualbus/src/gnu/bash-build/bash+0x82401)
#24 0x55db38a1b8da in main (/home/dualbus/src/gnu/bash-build/bash+0x808da)
#25 0x7f7fff6e62b0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
SUMMARY: AddressSanitizer: heap-buffer-overflow
(/home/dualbus/src/gnu/bash-build/bash+0x1023ef) in string_extract_double_quoted
Shadow bytes around the buggy address:
0x0c1e7fff9d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1e7fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1e7fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1e7fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa 00 00 00 00
0x0c1e7fff9dd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c1e7fff9de0:[03]fa fa fa fa fa fa fa fa fa 00 00 00 00 00 00
0x0c1e7fff9df0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
0x0c1e7fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1e7fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1e7fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1e7fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==22415==ABORTING
INPUT
GwEWAAF/AMwALugAAH8Wf5ZXAP9///hkXWZdRGRkAAB/luT/4v8gYAsBgCRa3QIikl4kWyNVCfYQ
APo7APsEAAsEAAvfV4CBGVMa+RtJTU1NI1eATACYK3lIJBt5zUtLJiYmJglLS0tLS0tLS0tLS0tL
S0tLS0tLaUtL/0tL8kuDTU0WFJQgAAAAeVVjVWjVVVVVVkI3GwKWNP//ABlTGvkbSf////hkXWZd
RGRkTST/3sgATU1NEG9hTfz/gF1NVwD/f//4ZH9dZl1EZGRNJCgBTU1NTU1JTU3xTN9N+UxvTU1G
Tf8QAHR0EF1NCBuA/wAbBQ==
==20379==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x602000007ef9 at pc 0x564df0fe33f0 bp 0x7ffe40f0cbe0 sp 0x7ffe40f0cbd8
WRITE of size 1 at 0x602000007ef9 thread T0
#0 0x564df0fe33ef in string_extract_double_quoted
(/home/dualbus/src/gnu/bash-build/bash+0x1023ef)
#1 0x564df10159e7 in expand_word_internal
(/home/dualbus/src/gnu/bash-build/bash+0x1349e7)
#2 0x564df0ff44f3 in call_expand_word_internal
(/home/dualbus/src/gnu/bash-build/bash+0x1134f3)
#3 0x564df0ff5458 in expand_word
(/home/dualbus/src/gnu/bash-build/bash+0x114458)
#4 0x564df1056ed3 in shell_expand_line
(/home/dualbus/src/gnu/bash-build/bash+0x175ed3)
#5 0x564df10dd30d in _rl_dispatch_subseq
(/home/dualbus/src/gnu/bash-build/bash+0x1fc30d)
#6 0x564df10ddaef in _rl_dispatch_subseq
(/home/dualbus/src/gnu/bash-build/bash+0x1fcaef)
#7 0x564df10dcee8 in _rl_dispatch
(/home/dualbus/src/gnu/bash-build/bash+0x1fbee8)
#8 0x564df10dc727 in readline_internal_char
(/home/dualbus/src/gnu/bash-build/bash+0x1fb727)
#9 0x564df10dc7b9 in readline_internal_charloop
(/home/dualbus/src/gnu/bash-build/bash+0x1fb7b9)
#10 0x564df10dc7dd in readline_internal
(/home/dualbus/src/gnu/bash-build/bash+0x1fb7dd)
#11 0x564df10dbe93 in readline
(/home/dualbus/src/gnu/bash-build/bash+0x1fae93)
#12 0x564df1097136 in edit_line
(/home/dualbus/src/gnu/bash-build/bash+0x1b6136)
#13 0x564df1094aa4 in read_builtin
(/home/dualbus/src/gnu/bash-build/bash+0x1b3aa4)
#14 0x564df0faac89 in execute_builtin
(/home/dualbus/src/gnu/bash-build/bash+0xc9c89)
#15 0x564df0fac89f in execute_builtin_or_function
(/home/dualbus/src/gnu/bash-build/bash+0xcb89f)
#16 0x564df0faa11f in execute_simple_command
(/home/dualbus/src/gnu/bash-build/bash+0xc911f)
#17 0x564df0f97f42 in execute_command_internal
(/home/dualbus/src/gnu/bash-build/bash+0xb6f42)
#18 0x564df0fa082e in execute_connection
(/home/dualbus/src/gnu/bash-build/bash+0xbf82e)
#19 0x564df0f98d17 in execute_command_internal
(/home/dualbus/src/gnu/bash-build/bash+0xb7d17)
#20 0x564df10820f4 in parse_and_execute
(/home/dualbus/src/gnu/bash-build/bash+0x1a10f4)
#21 0x564df0f63401 in run_one_command
(/home/dualbus/src/gnu/bash-build/bash+0x82401)
#22 0x564df0f618da in main (/home/dualbus/src/gnu/bash-build/bash+0x808da)
#23 0x7f4f9ae362b0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
#24 0x564df0f60749 in _start (/home/dualbus/src/gnu/bash-build/bash+0x7f749)
0x602000007ef9 is located 0 bytes to the right of 9-byte region
[0x602000007ef0,0x602000007ef9)
allocated by thread T0 here:
#0 0x7f4f9b6a3d28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
#1 0x564df1070d95 in xmalloc
(/home/dualbus/src/gnu/bash-build/bash+0x18fd95)
#2 0x564df0fe28d7 in string_extract_double_quoted
(/home/dualbus/src/gnu/bash-build/bash+0x1018d7)
#3 0x564df10159e7 in expand_word_internal
(/home/dualbus/src/gnu/bash-build/bash+0x1349e7)
#4 0x564df0ff44f3 in call_expand_word_internal
(/home/dualbus/src/gnu/bash-build/bash+0x1134f3)
#5 0x564df0ff5458 in expand_word
(/home/dualbus/src/gnu/bash-build/bash+0x114458)
#6 0x564df1056ed3 in shell_expand_line
(/home/dualbus/src/gnu/bash-build/bash+0x175ed3)
#7 0x564df10dd30d in _rl_dispatch_subseq
(/home/dualbus/src/gnu/bash-build/bash+0x1fc30d)
#8 0x564df10ddaef in _rl_dispatch_subseq
(/home/dualbus/src/gnu/bash-build/bash+0x1fcaef)
#9 0x564df10dcee8 in _rl_dispatch
(/home/dualbus/src/gnu/bash-build/bash+0x1fbee8)
#10 0x564df10dc727 in readline_internal_char
(/home/dualbus/src/gnu/bash-build/bash+0x1fb727)
#11 0x564df10dc7b9 in readline_internal_charloop
(/home/dualbus/src/gnu/bash-build/bash+0x1fb7b9)
#12 0x564df10dc7dd in readline_internal
(/home/dualbus/src/gnu/bash-build/bash+0x1fb7dd)
#13 0x564df10dbe93 in readline
(/home/dualbus/src/gnu/bash-build/bash+0x1fae93)
#14 0x564df1097136 in edit_line
(/home/dualbus/src/gnu/bash-build/bash+0x1b6136)
#15 0x564df1094aa4 in read_builtin
(/home/dualbus/src/gnu/bash-build/bash+0x1b3aa4)
#16 0x564df0faac89 in execute_builtin
(/home/dualbus/src/gnu/bash-build/bash+0xc9c89)
#17 0x564df0fac89f in execute_builtin_or_function
(/home/dualbus/src/gnu/bash-build/bash+0xcb89f)
#18 0x564df0faa11f in execute_simple_command
(/home/dualbus/src/gnu/bash-build/bash+0xc911f)
#19 0x564df0f97f42 in execute_command_internal
(/home/dualbus/src/gnu/bash-build/bash+0xb6f42)
#20 0x564df0fa082e in execute_connection
(/home/dualbus/src/gnu/bash-build/bash+0xbf82e)
#21 0x564df0f98d17 in execute_command_internal
(/home/dualbus/src/gnu/bash-build/bash+0xb7d17)
#22 0x564df10820f4 in parse_and_execute
(/home/dualbus/src/gnu/bash-build/bash+0x1a10f4)
#23 0x564df0f63401 in run_one_command
(/home/dualbus/src/gnu/bash-build/bash+0x82401)
#24 0x564df0f618da in main (/home/dualbus/src/gnu/bash-build/bash+0x808da)
#25 0x7f4f9ae362b0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
SUMMARY: AddressSanitizer: heap-buffer-overflow
(/home/dualbus/src/gnu/bash-build/bash+0x1023ef) in string_extract_double_quoted
Shadow bytes around the buggy address:
0x0c047fff8f80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8f90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8fa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8fb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8fc0: fa fa fa fa fa fa fa fa fa fa fd fa fa fa 03 fa
=>0x0c047fff8fd0: fa fa 00 06 fa fa 02 fa fa fa fd fd fa fa 00[01]
0x0c047fff8fe0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff8ff0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff9000: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff9010: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff9020: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==20379==ABORTING
INPUT
G+4AAEv///1////3gBqpoPkFBQUFBSQbG2OAEAUFBQUFJBVJSUlJSUlJSUlJSUlJSUlJSUlJSUlJ
SUlJ/yVBqLwkQkf5lgv8AOwA/yj/sLC0sLHTsLCwsACWfj4kGvYgQQZ8fe4kJDVTPCT0JADrl5eq
l5eXl5eXl5eXl5eXdJeXZAAAAECXl+vr6+uAfyIbG2OA+QUFBQUFJBsbY4AQBQUFBQUkAAAAfwUF
BQUFBQUFBQUFBQCTFAAkKAAbBQ==
--
Eduardo Bustamante
https://dualbus.me/
