If bracketed paste input terminates prior to the paste end sequence, the buffer passed to rl_insert_text never gets its null termination.
$ bash-asan --norc -in <<<$'\e[200~X' ==15989==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x006167e51260 at pc 0x007e690b5374 bp 0x007ff50ab620 sp 0x007ff50aae10 READ of size 65 at 0x006167e51260 thread T0 #0 0x7e690b5370 in strlen #1 0x5dd2f421c4 in rl_insert_text lib/readline/text.c:91:29 #2 0x5dd2f2e4b0 in rl_bracketed_paste_begin lib/readline/kill.c:765:12 --- lib/readline/kill.c | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/lib/readline/kill.c b/lib/readline/kill.c index 972c7d9e..b5a4af79 100644 --- a/lib/readline/kill.c +++ b/lib/readline/kill.c @@ -713,7 +713,6 @@ _rl_bracketed_text (size_t *lenp) len = 0; buf = xmalloc (cap = 64); - buf[0] = '\0'; RL_SETSTATE (RL_STATE_MOREINPUT); while ((c = rl_read_key ()) >= 0) @@ -737,12 +736,9 @@ _rl_bracketed_text (size_t *lenp) } RL_UNSETSTATE (RL_STATE_MOREINPUT); - if (c >= 0) - { - if (len == cap) - buf = xrealloc (buf, cap + 1); - buf[len] = '\0'; - } + if (len == cap) + buf = xrealloc (buf, cap + 1); + buf[len] = '\0'; if (lenp) *lenp = len; -- 2.45.1