On Thu, Jun 15, 2017 at 09:39:09AM -0500, Eduardo Bustamante wrote: > Found by fuzzing `read -e' with AFL. The stacktrace reported by Address > Sanitizer is followed by the base64 encoded crashing input. > > > ==472==ERROR: AddressSanitizer: heap-buffer-overflow on address > 0x61100000977f at pc 0x562befba4a14 bp 0x7ffdee172bb0 sp 0x7ffdee172ba8 > READ of size 1 at 0x61100000977f thread T0 > #0 0x562befba4a13 in rl_tilde_expand > (/home/dualbus/src/gnu/bash-build/bash+0x23ba13)
This one looks like an easy fix. When `start = 0', the loop ends up dereferencing `rl_line_buffer[-1]'. Changing the order of the test does the trick. dualbus@debian:~/src/gnu/bash$ git difftool -y -x 'diff -c' -- lib/readline/util.c *** /tmp/zFXFei_util.c 2017-06-16 09:34:03.958088209 -0500 --- lib/readline/util.c 2017-06-16 09:33:09.384638705 -0500 *************** *** 193,199 **** } else if (start >= 0 && rl_line_buffer[start] != '~') { ! for (; !whitespace (rl_line_buffer[start]) && start >= 0; start--) ; start++; } --- 193,199 ---- } else if (start >= 0 && rl_line_buffer[start] != '~') { ! for (; start >= 0 && !whitespace (rl_line_buffer[start]); start--) ; start++; } -- Eduardo Bustamante https://dualbus.me/