v4.4 segfault in 'decode_prompt_string' when processing special parameter

[Chris Schoenberg]

This only works in 4.4; earlier versions throw a 'bad substitution' error. It
causes an infinite loop of calls between 'expand_prompt_string' and
'decode_prompt_string',
where calls to 'xmalloc' exhaust the heap:

$\{_@P};${_@P}

I decided to report this because it is not a user-defined recursive
function and it exhausts the heap rather than the stack.

Here is a call trace that just repeats itself as you go back further (you
can see #7 and #0 are the same):

#0  decode_prompt_string (string=0x8dca08 "${_@P}") at
/usr/homes/chet/src/bash/src/parse.y:5471
#1  0x00000000004cf5e0 in string_transform (xc=<optimized out>, v=0x84ca88,
s=0x8dca08 "${_@P}") at subst.c:5127
#2  0x00000000004cc7c5 in parameter_brace_transform (varname=<optimized
out>, value=<optimized out>, ind=<optimized out>, xform=<optimized out>,
rtype=0,
    quoted=<optimized out>, flags=<optimized out>) at subst.c:5263
#3  0x00000000004c5a3d in parameter_brace_expand (string=<optimized out>,
quoted=<optimized out>, pflags=<optimized out>,
contains_dollar_at=<optimized out>,
    indexp=<optimized out>, quoted_dollar_atp=<optimized out>) at
subst.c:8364
#4  param_expand (string=<optimized out>, sindex=<optimized out>,
quoted=<optimized out>, expanded_something=<optimized out>,
    contains_dollar_at=<optimized out>, quoted_dollar_at_p=<optimized out>,
had_quoted_null_p=<optimized out>, pflags=<optimized out>) at subst.c:8740
#5  0x00000000004b2640 in expand_word_internal (word=<optimized out>,
quoted=<optimized out>, isexp=<optimized out>,
contains_dollar_at=<optimized out>,
    expanded_something=<optimized out>) at subst.c:9301
#6  0x00000000004b16ca in expand_prompt_string (string=0x8dc908 "${_@P}",
quoted=1, wflags=<optimized out>) at subst.c:3732
#7  0x0000000000434fe0 in decode_prompt_string (string=<optimized out>) at
/usr/homes/chet/src/bash/src/parse.y:5833