segfault in extract_delimited_string () at subst.c:1291 (bash 4.4.0(1)-b

While fuzzing bash 4.4.0(1)-beta compiled from the devel branch, I found a 'script' that causes a segfault. The attached also crashes bash 4.2.37(1)-release. The file is 1012B in size and I was unable to minimize it any further using the afl-tmin tool that comes with the AFL fuzzer.

Starting program: /home/geeknik/bash/bash test00

Program received signal SIGSEGV, Segmentation fault.

0x00000000005643a5 in extract_delimited_string () at subst.c:1291

1291 c = string[i];

(gdb) bt

#0 0x00000000005643a5 in extract_delimited_string () at subst.c:1291

#1 0x0000000000562f53 in skip_matched_pair.constprop.27 () at subst.c:1702

#2 0x00000000005635cc in string_extract.constprop.26 () at subst.c:1724

#3 0x0000000000596424 in parameter_brace_expand () at subst.c:7604

#4 0x00000000005a1eec in param_expand () at subst.c:8384

#5 0x00000000005a94a7 in expand_word_internal () at subst.c:8936

#6 0x00000000005b2b94 in expand_string_assignment () at subst.c:3348

#7 0x00000000005b4585 in do_assignment_internal () at subst.c:3139

#8 0x00000000005c8712 in expand_word_list_internal () at subst.c:2956

#9 0x00000000004a9965 in execute_simple_command () at execute_cmd.c:4079

#10 0x00000000004b497e in execute_command_internal () at execute_cmd.c:813

#11 0x00000000004bcf1d in execute_command () at execute_cmd.c:416

#12 0x00000000004317e0 in reader_loop ()

#13 0x0000000000429bdb in main () at shell.c:767

==47296== Command: /home/geeknik/bash/bash test00

==47296==

==47296== Conditional jump or move depends on uninitialised value(s)

==47296== at 0x5643B0: extract_delimited_string (subst.c:1293)

==47296== by 0x564FF0: extract_delimited_string (subst.c:1350)

==47296== by 0x562F52: skip_matched_pair.constprop.27 (subst.c:1702)

==47296== by 0x5635CB: skipsubscript (subst.c:1724)

==47296== by 0x5635CB: string_extract.constprop.26 (subst.c:779)

==47296== by 0x596423: parameter_brace_expand (subst.c:7604)

==47296== by 0x5A1EEB: param_expand (subst.c:8384)

==47296== by 0x5A94A6: expand_word_internal (subst.c:8936)

==47296== by 0x5B2B93: call_expand_word_internal (subst.c:3348)

==47296== by 0x5B2B93: expand_string_assignment (subst.c:3436)

==47296== by 0x5B4584: expand_string_if_necessary (subst.c:3139)

==47296== by 0x5B4584: do_assignment_internal (subst.c:2867)

==47296==

==47296== Conditional jump or move depends on uninitialised value(s)

==47296== at 0x5643B0: extract_delimited_string (subst.c:1293)

==47296== by 0x564FF0: extract_delimited_string (subst.c:1350)

==47296== by 0x562F52: skip_matched_pair.constprop.27 (subst.c:1702)

==47296== by 0x5635CB: skipsubscript (subst.c:1724)

==47296== by 0x5635CB: string_extract.constprop.26 (subst.c:779)

==47296== by 0x596423: parameter_brace_expand (subst.c:7604)

==47296== by 0x5A1EEB: param_expand (subst.c:8384)

==47296== by 0x5A94A6: expand_word_internal (subst.c:8936)

==47296== by 0x5B2B93: call_expand_word_internal (subst.c:3348)

==47296== by 0x5B2B93: expand_string_assignment (subst.c:3436)

==47296== by 0x5B4584: expand_string_if_necessary (subst.c:3139)

==47296== by 0x5B4584: do_assignment_internal (subst.c:2867)

==47296== by 0x5C8711: do_word_assignment (subst.c:2956)

==47296== by 0x5C8711: expand_word_list_internal (subst.c:10267)

==47296== by 0x4A9964: execute_simple_command (execute_cmd.c:4079)

==47296==

==47296== Conditional jump or move depends on uninitialised value(s)

==47296== at 0x5643B0: extract_delimited_string (subst.c:1293)

==47296== by 0x564FF0: extract_delimited_string (subst.c:1350)

==47296== by 0x562F52: skip_matched_pair.constprop.27 (subst.c:1702)

==47296== by 0x5635CB: skipsubscript (subst.c:1724)

==47296== by 0x5635CB: string_extract.constprop.26 (subst.c:779)

==47296== by 0x596423: parameter_brace_expand (subst.c:7604)

==47296== by 0x5A1EEB: param_expand (subst.c:8384)

==47296== by 0x5A94A6: expand_word_internal (subst.c:8936)

==47296== by 0x5B2B93: call_expand_word_internal (subst.c:3348)

==47296== by 0x5B2B93: expand_string_assignment (subst.c:3436)

==47296== by 0x5B4584: expand_string_if_necessary (subst.c:3139)

==47296== by 0x5B4584: do_assignment_internal (subst.c:2867)

==47296== by 0x5C8711: do_word_assignment (subst.c:2956)

==47296== by 0x5C8711: expand_word_list_internal (subst.c:10267)

==47296== by 0x4A9964: execute_simple_command (execute_cmd.c:4079)

==47296== by 0x4B497D: execute_command_internal (execute_cmd.c:813)

==47296==

==47296== Invalid read of size 1

==47296== at 0x5643A5: extract_delimited_string (subst.c:1291)

==47296== by 0x562F52: skip_matched_pair.constprop.27 (subst.c:1702)

==47296== by 0x5635CB: skipsubscript (subst.c:1724)

==47296== by 0x5635CB: string_extract.constprop.26 (subst.c:779)

==47296== by 0x596423: parameter_brace_expand (subst.c:7604)

==47296== by 0x5A1EEB: param_expand (subst.c:8384)

==47296== by 0x5A94A6: expand_word_internal (subst.c:8936)

==47296== by 0x5B2B93: call_expand_word_internal (subst.c:3348)

==47296== by 0x5B2B93: expand_string_assignment (subst.c:3436)

==47296== by 0x5B4584: expand_string_if_necessary (subst.c:3139)

==47296== by 0x5B4584: do_assignment_internal (subst.c:2867)

==47296== by 0x5C8711: do_word_assignment (subst.c:2956)

==47296== by 0x5C8711: expand_word_list_internal (subst.c:10267)

==47296== by 0x4A9964: execute_simple_command (execute_cmd.c:4079)

==47296== by 0x4B497D: execute_command_internal (execute_cmd.c:813)

==47296== by 0x4BCF1C: execute_command (execute_cmd.c:416)

==47296== Address 0x423c000 is not stack'd, malloc'd or (recently) free'd

==47296==

==47296== Process terminating with default action of signal 11 (SIGSEGV)

==47296== Access not within mapped region at address 0x423C000

==47296== at 0x5643A5: extract_delimited_string (subst.c:1291)

==47296== by 0x562F52: skip_matched_pair.constprop.27 (subst.c:1702)

==47296== by 0x5635CB: skipsubscript (subst.c:1724)

==47296== by 0x5635CB: string_extract.constprop.26 (subst.c:779)

==47296== by 0x596423: parameter_brace_expand (subst.c:7604)

==47296== by 0x5A1EEB: param_expand (subst.c:8384)

==47296== by 0x5A94A6: expand_word_internal (subst.c:8936)

==47296== by 0x5B2B93: call_expand_word_internal (subst.c:3348)

==47296== by 0x5B2B93: expand_string_assignment (subst.c:3436)

==47296== by 0x5B4584: expand_string_if_necessary (subst.c:3139)

==47296== by 0x5B4584: do_assignment_internal (subst.c:2867)

==47296== by 0x5C8711: do_word_assignment (subst.c:2956)

==47296== by 0x5C8711: expand_word_list_internal (subst.c:10267)

==47296== by 0x4A9964: execute_simple_command (execute_cmd.c:4079)

==47296== by 0x4B497D: execute_command_internal (execute_cmd.c:813)

==47296== by 0x4BCF1C: execute_command (execute_cmd.c:416)

==47296== If you believe this happened as a result of a stack

==47296== overflow in your program's main thread (unlikely but

==47296== possible), you can try to increase the size of the

==47296== main thread stack using the --main-stacksize= flag.

==47296== The main thread stack size used in this run was 8388608.

==47296==

==47296== HEAP SUMMARY:

==47296== in use at exit: 0 bytes in 0 blocks

==47296== total heap usage: 0 allocs, 0 frees, 0 bytes allocated

==47296==

==47296== All heap blocks were freed -- no leaks are possible

==47296==

==47296== For counts of detected and suppressed errors, rerun with: -v

==47296== Use --track-origins=yes to see where uninitialised values come from

==47296== ERROR SUMMARY: 5 errors from 4 contexts (suppressed: 2 from 2)

Segmentation fault

Regards,

Brian 'geeknik' Carpenter

From:	Brian Carpenter
Subject:	segfault in extract_delimited_string () at subst.c:1291 (bash 4.4.0(1)-beta)
Date:	Sat, 19 Sep 2015 11:22:14 -0500