mkdir -p /tmp/bin
>'/tmp/bin/$'
chmod +x '/tmp/bin/$'
PATH=/tmp/bin ./bash --norc -in <<<$'\e*'
ERROR: AddressSanitizer: heap-buffer-overflow on address
0x0001039a9913 at pc 0x0001004d57b4 bp 0x00016fdf1350 sp
0x00016fdf1348
WRITE of size 1 at 0x0001039a9913 thread T0
frame #5: 0x00000001004d57b4 bash`sh_mkdoublequoted(s="", slen=1,
flags=1) at shquote.c:211:6
frame #6: 0x00000001003410e4 bash`bash_quote_filename(s="$",
rtype=1, qcp="") at bashline.c:4301:15
frame #7: 0x0000000100554b30
bash`make_quoted_replacement(match="$", mtype=1, qc="") at
complete.c:1797:16
frame #8: 0x0000000100549aec
bash`insert_all_matches(matches=0x0000000106600200, point=0, qc="") at
complete.c:1945:9
frame #9: 0x000000010053c63c
bash`rl_complete_internal(what_to_do=42) at complete.c:2144:7
frame #10: 0x000000010053d450 bash`rl_insert_completions(ignore=1,
invoking_key=42) at complete.c:466:11
frame #5: 0x00000001004d57b4 bash`sh_mkdoublequoted(s="", slen=1,
flags=1) at shquote.c:211:6
208 *r++ = *s++;
209 }
210 *r++ = '"';
-> 211 *r = '\0';
212
213 return ret;
214 }
(lldb) fr v ret rlen
(char *) ret = 0x00000001039a9910 "\"$\""
(size_t) rlen = 3
diff --git a/lib/sh/shquote.c b/lib/sh/shquote.c
index a27b9202..98b3d927 100644
--- a/lib/sh/shquote.c
+++ b/lib/sh/shquote.c
@@ -188,7 +188,7 @@ sh_mkdoublequoted (const char *s, size_t slen, int flags)
send = s + slen;
mb_cur_max = flags ? MB_CUR_MAX : 1;
- rlen = (flags == 0) ? slen + 3 : (2 * slen) + 1;
+ rlen = (flags == 0) ? slen + 3 : (2 * slen) + 3;
ret = r = (char *)xmalloc (rlen);
*r++ = '"';
