null ptr deref & segfault in multiple versions of bash

<<$(()())|>_[$($(<<0)) triggers a null ptr deref and segfault in multiple versions of bash https://savannah.gnu.org/support/index.php?108884

4-byte script triggers null ptr deref and segfault

While fuzzing GNU bash version 4.3.42(1)-release (x86_64-unknown-linux-gnu) with AFL(http://lcamtuf.coredump.cx/afl), I stumbled upon a 4-byte 'script' that triggers a null ptr deref and causes a segfault. https://savannah.gnu.org/support/index.php?108885

null ptr deref / segfault in bash 4.4.0(1)-beta

While fuzzing bash 4.4.0(1)-beta compiled from the devel branch, I came across another script which triggers a null ptr dereference and a segfault. This script seems to crash these other versions of bash as well: 4.2.37(1)-release on x86_64 Debian, 4.3.39(1)-release on x86_64 Red Hat hexdump -v -

segfault in extract_delimited_string () at subst.c:1291 (bash 4.4.0(1)-beta)

While fuzzing bash 4.4.0(1)-beta compiled from the devel branch, I found a 'script' that causes a segfault. The attached also crashes bash 4.2.37(1)-release. The file is 1012B in size and I was unable to minimize it any further using the afl-tmin tool that comes with the AFL fuzzer. Starting progr

null ptr deref + segfault bash 4.4.0(1)-beta

I found another script that triggers a null ptr deref and then segfaults bash 4.4.0(1)-beta. hexdump -C -v test25 5f 3d 20 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 3d |_= =| 0010 24 7b 5f 5b 30 5d 7d 20 5f 3d 24 7b 5f 5f 5f 5f |${_[0]} _=${| 0020 5f 5f 5f 5f 5f 5

null ptr deref and segfault in parameter_brace_transform.isra.17 () at subst.c:6827 (bash 4.4.0(1)-beta)

I found another null ptr deref and segfault. This only seems to affect bash 4.4.0 as 4.2.37(1)-release and 4.2.37(1)-release only return a 'bad substitution' error message. bash -c '${!a@a}' Program received signal SIGSEGV, Segmentation fault. 0x005d36b7 in parameter_brace_transform.isra.

Re: null ptr deref and segfault in parameter_brace_transform.isra.17 () at subst.c:6827 (bash 4.4.0(1)-beta)

Anyways, if you have any other questions or comments, feel free to send them my way. On Sat, Sep 19, 2015 at 11:33 PM, Eduardo A. Bustamante López < dual...@gmail.com> wrote: > On Sat, Sep 19, 2015 at 11:17:33PM -0500, Brian Carpenter wrote: > > I found another null ptr deref an

null ptr deref in bash

<<0 r["$(<<0)"] triggers a null ptr deref and segfault in bash 4.2.37(1)-release, 4.3.30(1)-release and 4.3.42(1)-release. This bug was found with American Fuzzy Lop. valgrind -q ~/bash/bash test00 test00: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `0') test00: line