Path: csiph.com!goblin1!goblin.stu.neva.ru!usenet.stanford.edu!not-for-mail
From: Eduardo =?iso-8859-1?Q?A=2E_Bustamante_L=F3pez?= <dualbus@gmail.com>
Newsgroups: gnu.bash.bug
Subject: Segmentation fault in pat_subst
Date: Sat, 20 Jul 2019 15:23:00 -0700
Lines: 54
Approved: bug-bash@gnu.org
Message-ID: <mailman.1882.1563661389.2688.bug-bash@gnu.org>
References: <20190720222300.GA13083@system76-pc.vc.shawcable.net>
NNTP-Posting-Host: lists.gnu.org
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Trace: usenet.stanford.edu 1563661389 6697 209.51.188.17 (20 Jul 2019 22:23:09 GMT)
X-Complaints-To: action@cs.stanford.edu
To: bug-bash@gnu.org
Envelope-to: bug-bash@gnu.org
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:subject:message-id:mail-followup-to:mime-version :content-disposition:content-transfer-encoding:user-agent; bh=bao/9kvSZMHsHxI17kN+PNkP10ALcFZvpMQ3HZ6qq98=; b=vYRYnDGpKqkk0f+76xn9xcK/kgKwND8CuMCH22RaOBNi/3x7poDKRj+AsRyebWsoZ1 RhgUNbDJ71fZv2Y2O4e7xUl1Oog+S/Bg5ZNnZ2Nc0njucxcDvSR/h7pbhI9paMdpgABx 8bP2UCU1onNOWf01O49yFFqFBUUdiM1jdvOz/nBtcIETSur0A/vpeemw+6LoITVxREaB xMypREa0e2OlvUTeq/H7I6jG25OwCKmVllL+VXIiot5/I1aLh/FG2u0zTgvNkRvkJpT8 x2y+2amCGbRGeGLCwDfRoj9giTkuz+3U1YbjIvPQMEfdUrqq30C0i1XAsYgFhId7xByE KGNA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:subject:message-id:mail-followup-to :mime-version:content-disposition:content-transfer-encoding :user-agent; bh=bao/9kvSZMHsHxI17kN+PNkP10ALcFZvpMQ3HZ6qq98=; b=oZZm4oM0aOr4JtANW62/kOTSfSCk53hgo5FIbSpkhM1DmVe6xuR73N7Pe2MSra0CH6 4CFMHf0Q5rr3eXczti+BvusGoewI4r4+EVLUM68srsk83oE51mC2P13srSw5X2nuD2u6 uPlyC8Dqf22Iytzq4FMF5wFjWswVhBjzXPon6AGT/PQUGCmL6/m4pvsP7d5G7mHmaHVp FKy7x4y6+b1tRnvp5Htjek3m7PNeUXN17MfWxexEai2L7aQrGTu0P7zKOnTgjLE0GBzl dcyHmvmsgSAdscdyHjCX6ZVvXpJxIbhkbmZ5NTmdoFjVU1MlkAw77dj0QBAYyPOLGzRm 7snQ==
X-Gm-Message-State: APjAAAWWq3IB4VxXVQGrNXmnbH6uAilVl9fw42M4h22usBAq8S51ra0o 3pbTwYCmT3L/S5eFeCBViz3K184n
X-Google-Smtp-Source: APXvYqzSZ2HOmltjL7M7rE9bPlP/j8joQEq/gOCGqqFm8HIljCOwN8lbvMa6bDxSjSvDMVzqDdlCXw==
X-Received: by 2002:a17:902:204:: with SMTP id 4mr64081558plc.178.1563661381425; Sat, 20 Jul 2019 15:23:01 -0700 (PDT)
Mail-Followup-To: bug-bash@gnu.org
Content-Disposition: inline
User-Agent: Mutt/1.10.1 (2018-07-13)
X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized.
X-Received-From: 2607:f8b0:4864:20::62f
X-BeenThere: bug-bash@gnu.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Bug reports for the GNU Bourne Again SHell <bug-bash.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-bash>, <mailto:bug-bash-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/bug-bash>
List-Post: <mailto:bug-bash@gnu.org>
List-Help: <mailto:bug-bash-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-bash>, <mailto:bug-bash-request@gnu.org?subject=subscribe>
X-Mailman-Original-Message-ID: <20190720222300.GA13083@system76-pc.vc.shawcable.net>
Xref: csiph.com gnu.bash.bug:15196

Bash `devel' crashes under the following circumstances:

| dualbus@system76-pc:/tmp/build-bash-devel$ CFLAGS='-O0 -ggdb' ~/src/gnu/bash/configure --with-bash-malloc
| (...)
| dualbus@system76-pc:/tmp/build-bash-devel$ make -j$(nproc)
| (...)
| dualbus@system76-pc:/tmp/build-bash-devel$ ./bash -c $'x=0; : ${x/#[0\xef\xbf\xbd\\Z[:]]}'
| Segmentation fault (core dumped)


Here's the stack trace:

| dualbus@system76-pc:/tmp/build-bash-devel$ gdb ./bash --args ./bash -c $'x=0; : ${x/#[0\xef\xbf\xbd\\Z[:]]}'
| GNU gdb (Debian 8.2.1-2+b1) 8.2.1
| (...)
| Reading symbols from ./bash...done.
| (gdb) r
| Starting program: /tmp/build-bash-devel/bash -c x=0\;\ :\ \$\{x/\#\[0�\\Z\[:\]\]\}
| 
| Program received signal SIGSEGV, Segmentation fault.
| 0x00005555555d1fae in pat_subst (string=0x55555575f298 "0", pat=0x555555764509 "[0�\\Z[:]]", rep=0x0, mflags=1) at /home/dualbus/src/gnu/bash/subst.c:8136
| 8136      if (str && *str)
| (gdb) bt
| #0  0x00005555555d1fae in pat_subst (string=0x55555575f298 "0", pat=0x555555764509 "[0�\\Z[:]]", rep=0x0, mflags=1) at /home/dualbus/src/gnu/bash/subst.c:8136
| #1  0x00005555555d250b in parameter_brace_patsub (varname=0x55555575f248 "x", value=0x55555575f288 "0", ind=0, patsub=0x555555763f48 "#[0�\\Z[:]]", quoted=0, pflags=0, flags=0)
|     at /home/dualbus/src/gnu/bash/subst.c:8306
| #2  0x00005555555d47e2 in parameter_brace_expand (string=0x555555763f28 "${x/#[0�\\Z[:]]}", indexp=0x7fffffffe0d8, quoted=0, pflags=0, quoted_dollar_atp=0x7fffffffe1d4,
|     contains_dollar_at=0x7fffffffe1cc) at /home/dualbus/src/gnu/bash/subst.c:9028
| #3  0x00005555555d5ae8 in param_expand (string=0x555555763f28 "${x/#[0�\\Z[:]]}", sindex=0x7fffffffe1d8, quoted=0, expanded_something=0x7fffffffe374, contains_dollar_at=0x7fffffffe1cc,
|     quoted_dollar_at_p=0x7fffffffe1d4, had_quoted_null_p=0x7fffffffe1d0, pflags=0) at /home/dualbus/src/gnu/bash/subst.c:9557
| #4  0x00005555555d6ed8 in expand_word_internal (word=0x555555763f68, quoted=0, isexp=0, contains_dollar_at=0x7fffffffe370, expanded_something=0x7fffffffe374)
|     at /home/dualbus/src/gnu/bash/subst.c:10125
| #5  0x00005555555da0b6 in shell_expand_word_list (tlist=0x555555763f88, eflags=31) at /home/dualbus/src/gnu/bash/subst.c:11504
| #6  0x00005555555da3bb in expand_word_list_internal (list=0x555555763948, eflags=31) at /home/dualbus/src/gnu/bash/subst.c:11628
| #7  0x00005555555d95b9 in expand_words (list=0x555555763948) at /home/dualbus/src/gnu/bash/subst.c:11148
| #8  0x00005555555a51d9 in execute_simple_command (simple_command=0x5555557639c8, pipe_in=-1, pipe_out=-1, async=0, fds_to_close=0x555555763a88)
|     at /home/dualbus/src/gnu/bash/execute_cmd.c:4334
| #9  0x000055555559ed6b in execute_command_internal (command=0x555555763988, asynchronous=0, pipe_in=-1, pipe_out=-1, fds_to_close=0x555555763a88)
|     at /home/dualbus/src/gnu/bash/execute_cmd.c:823
| #10 0x00005555555a2116 in execute_connection (command=0x555555763a48, asynchronous=0, pipe_in=-1, pipe_out=-1, fds_to_close=0x555555763a88) at /home/dualbus/src/gnu/bash/execute_cmd.c:2707
| #11 0x000055555559f134 in execute_command_internal (command=0x555555763a48, asynchronous=0, pipe_in=-1, pipe_out=-1, fds_to_close=0x555555763a88)
|     at /home/dualbus/src/gnu/bash/execute_cmd.c:996
| #12 0x0000555555609e4d in parse_and_execute (string=0x5555557632c8 "x=0; : ${x/#[0�\\Z[:]]}", from_file=0x55555566b0f0 "-c", flags=4)
|     at /home/dualbus/src/gnu/bash/builtins/evalstring.c:458
| #13 0x0000555555585632 in run_one_command (command=0x7fffffffebdc "x=0; : ${x/#[0�\\Z[:]]}") at /home/dualbus/src/gnu/bash/shell.c:1424
| #14 0x000055555558477d in main (argc=3, argv=0x7fffffffe8f8, env=0x7fffffffe918) at /home/dualbus/src/gnu/bash/shell.c:735
| 
| (gdb) p str
| $1 = 0xdfdfdfdfdfdfdfdf <error: Cannot access memory at address 0xdfdfdfdfdfdfdfdf>

I have been looking around but I don't understand what's going on. I can see
that the value of `str' comes from `e', which in turn comes from
`match_pattern', but it's not clear to me why this is happening.