This can only be triggered in some unlikely locale where L'\0' can
be encoded by non-null bytes. For some reason, the glibc-provided
ISIRI-3342 charmap functions like this so can be used to reproduce
the issue:
$ sudo localedef -i C -f ISIRI-3342 C.ISIRI-3342
$ LC_ALL=C.ISIRI-3342 bash -c $': $\'\x80\''
ERROR: AddressSanitizer: heap-buffer-overflow...
READ of size 1 at 0xe1dfa73e1b52 thread T0
#0 0xb4f8079bf824 in ansicstr lib/sh/strtrans.c:92:13
#1 0xb4f8079c4d24 in ansiexpand lib/sh/strtrans.c:372:11
#2 0xb4f807567490 in read_token_word parse.y:5588:14
#3 0xb4f80755aeb4 in read_token parse.y:3836:12
---
lib/sh/strtrans.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/lib/sh/strtrans.c b/lib/sh/strtrans.c
index af75dcfa..9dc476d2 100644
--- a/lib/sh/strtrans.c
+++ b/lib/sh/strtrans.c
@@ -83,6 +83,8 @@ ansicstr (const char *string, size_t len, int flags, int
*sawc, size_t *rlen)
(locale_utf8locale == 0 && mb_cur_max > 0 && is_basic (c) == 0))
{
clen = mbrtowc (&wc, s - 1, mb_cur_max, 0);
+ if (clen == 0)
+ break;
if (MB_INVALIDCH (clen))
clen = 1;
}
--
2.51.0
