Avoid using (size_t)-1 as an offset. Also, not sure it makes sense to
change the case of an invalid byte cast to (wchar_t).
$ bash --norc -in <<< $'\300\e-1\eL'
lib/readline/text.c:1544:26: runtime error: addition of unsigned offset to
0x511000000680 overflowed to 0x51100000067f
ERROR: AddressSanitizer: heap-buffer-overflow on address 0x51100000067f at pc
0xc9bb80d44f94 bp 0xffffd27b8280 sp 0xffffd27b7a70
READ of size 2 at 0x51100000067f thread T0
#0 0xc9bb80d44f90 in __asan_memmove
#1 0xc9bb8134c9a0 in rl_change_case lib/readline/text.c:1544:5
#2 0xc9bb8134d3f0 in rl_downcase_word lib/readline/text.c:1431:11
---
lib/readline/text.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/lib/readline/text.c b/lib/readline/text.c
index 5941b1a2..cdcb7c26 100644
--- a/lib/readline/text.c
+++ b/lib/readline/text.c
@@ -1510,10 +1510,11 @@ rl_change_case (int count, int op)
else
{
m = MBRTOWC (&wc, rl_line_buffer + start, end - start, &mps);
- if (MB_INVALIDCH (m))
- wc = (WCHAR_T)rl_line_buffer[start];
- else if (MB_NULLWCH (m))
- wc = L'\0';
+ if (MB_INVALIDCH (m) || MB_NULLWCH (m))
+ {
+ start = next;
+ continue;
+ }
nwc = (nop == UpCase) ? _rl_to_wupper (wc) : _rl_to_wlower (wc);
if (nwc != wc) /* just skip unchanged characters */
{
--
2.45.1
