The history expansion code can end up reading past the end of the
input line buffer if the line ends with an invalid multibyte sequence:
bash --norc -in <<<$'X\n\e238Y!!\xC2\xC2'
ERROR: AddressSanitizer: heap-buffer-overflow
READ of size 1 at 0x000108b48400 thread T0
#0 0x104ed9c88 in history_expand histexpand.c:1129
#1 0x104b761b0 in pre_process_line bashhist.c:570
#2 0x10482a540 in shell_getc parse.y:2512
diff --git a/lib/readline/histexpand.c b/lib/readline/histexpand.c
index db344b49..425ea7cf 100644
--- a/lib/readline/histexpand.c
+++ b/lib/readline/histexpand.c
@@ -1121,7 +1121,7 @@ history_expand (const char *hstring, char **output)
c = tchar;
memset (mb, 0, sizeof (mb));
- for (k = 0; k < MB_LEN_MAX; k++)
+ for (k = 0; k < MB_LEN_MAX && i < l; k++)
{
mb[k] = (char)c;
memset (&ps, 0, sizeof (mbstate_t));
