If bracketed paste input terminates prior to the paste end sequence,
the buffer passed to rl_insert_text never gets its null termination.
$ bash-asan --norc -in <<<$'\e[200~X'
==15989==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x006167e51260 at pc 0x007e690b5374 bp 0x007ff50ab620 sp 0x007ff50aae10
READ of size 65 at 0x006167e51260 thread T0
#0 0x7e690b5370 in strlen
#1 0x5dd2f421c4 in rl_insert_text lib/readline/text.c:91:29
#2 0x5dd2f2e4b0 in rl_bracketed_paste_begin lib/readline/kill.c:765:12
---
lib/readline/kill.c | 10 +++-------
1 file changed, 3 insertions(+), 7 deletions(-)
diff --git a/lib/readline/kill.c b/lib/readline/kill.c
index 972c7d9e..b5a4af79 100644
--- a/lib/readline/kill.c
+++ b/lib/readline/kill.c
@@ -713,7 +713,6 @@ _rl_bracketed_text (size_t *lenp)
len = 0;
buf = xmalloc (cap = 64);
- buf[0] = '\0';
RL_SETSTATE (RL_STATE_MOREINPUT);
while ((c = rl_read_key ()) >= 0)
@@ -737,12 +736,9 @@ _rl_bracketed_text (size_t *lenp)
}
RL_UNSETSTATE (RL_STATE_MOREINPUT);
- if (c >= 0)
- {
- if (len == cap)
- buf = xrealloc (buf, cap + 1);
- buf[len] = '\0';
- }
+ if (len == cap)
+ buf = xrealloc (buf, cap + 1);
+ buf[len] = '\0';
if (lenp)
*lenp = len;
--
2.45.1
