Zsh parser segmentation fault in strcatsub

[Eduardo Bustamante <dualbus@xxxxxxxxx>]

dualbus@debian:~/bash-fuzzing/zsh-parser$ base64 strcatsub
JCQwMDAwJHsoZTB6KV5ZLTAwMCR7KHopXlktMDA+AAoKCgp7MDAwMDAwfTB9MAowMH0keyUwMDAw
MDAwMDAwADAwMDAwMDAwMDAwMDAwADAwMDAwMDAwMDAwMDAwMDCKMDAwMDAwljAwlTAwMDCWlo0w
MDAwMDAwJHsoZnpmTGwwMjAwb05OgD8+JjmioqKioqIvL6KAPzBCMG1wcjAyMDAloo6iopeiT40p
M29OMGlPMCljMDAwJTAwMDAwMDAwMDAwMH2hMACHMDAwMDAwljAwh4cwMDAwMDAAMDAwMDAwMJYw
MId9MDA=

Core was generated by `/home/dualbus/src/zsh/zsh/Src/zsh -nv strcatsub'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  __strcpy_sse2_unaligned () at
../sysdeps/x86_64/multiarch/strcpy-sse2-unaligned.S:235
235     ../sysdeps/x86_64/multiarch/strcpy-sse2-unaligned.S: No such
file or directory.
(gdb) bt
#0  __strcpy_sse2_unaligned () at
../sysdeps/x86_64/multiarch/strcpy-sse2-unaligned.S:235
#1  0x00000000004c12ab in strcatsub (d=0x7fff6a5f47b8,
    pb=0x7fa742ad6bed
"0\203\266\203\266\203\255\060\060\060\060\060\060\060\205\217\210fzfLl020000000000\203
", '0' <repeats 14 times>, "\203 ", '0' <repeats 16 times>,
"\203\252\060\060\060\060\060\060\203\266\060\060\203\265\060\060\060\060\203\266\203\266\203\255\060\060\060\060\060\060\060\066\071\060\060\060\060\060\060\205\217%0000000000\203
", '0' <repeats 14 times>, "\203 ", '0' <repeats 16 times>,
"\203\252\060\060\060\060\060\060\203\266\060\060\203\265\060\060\060\060\203\266\203\266\203\255\060\060\060\060\060\060\060\205\217\210fzfLl0200000"...,
    pe=0x7fa742ad6c38
"0\203\266\060\060\203\265\060\060\060\060\203\266\203\266\203\255\060\060\060\060\060\060\060\066\071\060\060\060\060\060\060\205\217%0000000000\203
", '0' <repeats 14 times>, "\203 ", '0' <repeats 16 times>,
"\203\252\060\060\060\060\060\060\203\266\060\060\203\265\060\060\060\060\203\266\203\266\203\255\060\060\060\060\060\060\060\205\217\210fzfLl020000000000\203
", '0' <repeats 14 times>, "\203 ", '0' <repeats 16 times>,
"\203\252\060\060\060\060\060\060\203\266\060\060\203\265\060\060\060\060\203\266\203\266\203\255\060\060\060\060\060\060\060\066\071\060\060\060"...,
    src=0x7fa742ac7128 "69000000\205\217%0000000000\203 ", '0'
<repeats 14 times>, "\203 ", '0' <repeats 16 times>,
"\203\252\060\060\060\060\060\060\203\266\060\060\203\265\060\060\060\060\203\266\203\266\203\255\060\060\060\060\060\060\060\205\217\210fzfLl020000000000\203
", '0' <repeats 14 times>, "\203 ", '0' <repeats 16 times>,
"\203\252\060\060\060\060\060\060\203\266\060\060\203\265\060\060\060\060\203\266\203\266\203\255\060\060\060\060\060\060\060\066\071\060\060\060\060\060\060\205\217%0000000000\203
000000"..., l=224,
    s=0x7fa742ad6c93
"\203\265\060\060\060\060\203\266\203\266\203\255\060\060\060\060\060\060\060\205\217\210fzfLl020000000000\203
", '0' <repeats 14 times>, "\203 ", '0' <repeats 16 times>,
"\203\252\060\060\060\060\060\060\203\266\060\060\203\265\060\060\060\060\203\266\203\266\203\255\060\060\060\060\060\060\060\066\071\060\060\060\060\060\060\205\217%0000000000\203
", '0' <repeats 14 times>, "\203 ", '0' <repeats 16 times>,
"\203\252\060\060\060\060\060\060\203\266\060\060\203\265\060\060\060\060\203\266\203\266\203\255\060\060\060\060\060\060\060\205\217\210fzfLl02"...,
glbsub=0, copied=1) at subst.c:738
#2  0x00000000004bf1ad in paramsubst (l=0x7fff6a5f53b0,
n=0x7fff6a5f5398, str=0x7fff6a5f4d70, qt=0, pf_flags=4,
    ret_flags=0x7fff6a5f534c) at subst.c:4031
#3  0x00000000004b5083 in stringsubst (list=0x7fff6a5f53b0,
node=0x7fff6a5f5398, pf_flags=4, ret_flags=0x7fff6a5f534c, asssub=0)
    at subst.c:247
#4  0x00000000004b4435 in prefork (list=0x7fff6a5f53b0, flags=4,
ret_flags=0x7fff6a5f534c) at subst.c:85
#5  0x00000000004b5abc in singsub (s=0x7fff6a5f5c08) at subst.c:430
#6  0x00000000004bb85b in paramsubst (l=0x7fff6a5f6390,
n=0x7fa742ad6cc8, str=0x7fff6a5f5d40, qt=0, pf_flags=0,
    ret_flags=0x7fff6a5f631c) at subst.c:3011
#7  0x00000000004b5083 in stringsubst (list=0x7fff6a5f6390,
node=0x7fa742ad6cc8, pf_flags=0, ret_flags=0x7fff6a5f631c, asssub=0)
    at subst.c:247
#8  0x00000000004b4435 in prefork (list=0x7fff6a5f6390, flags=0,
ret_flags=0x7fff6a5f631c) at subst.c:85
#9  0x0000000000440df5 in execcmd_getargs (preargs=0x7fa742ad37c8,
args=0x7fa742ad3688, expand=1) at exec.c:2659
#10 0x000000000043c1eb in execcmd_exec (state=0x7fff6a5f8230,
eparams=0x7fff6a5f70f0, input=0, output=0, how=18, last1=2)
    at exec.c:2765
#11 0x000000000043b804 in execpline2 (state=0x7fff6a5f8230, pcode=131,
how=18, input=0, output=0, last1=0) at exec.c:1873
#12 0x0000000000433f6e in execpline (state=0x7fff6a5f8230,
slcode=3074, how=18, last1=0) at exec.c:1602
#13 0x0000000000432dfe in execlist (state=0x7fff6a5f8230,
dont_change_job=0, exiting=0) at exec.c:1360
---Type <return> to continue, or q <return> to quit---
#14 0x000000000043277e in execode (p=0x7fa742ad3528,
dont_change_job=0, exiting=0, context=0x4d9274 "toplevel") at
exec.c:1141
#15 0x000000000045e366 in loop (toplevel=1, justonce=0) at init.c:208
#16 0x0000000000462846 in zsh_main (argc=3, argv=0x7fff6a5f8858) at init.c:1692
#17 0x0000000000411a32 in main (argc=3, argv=0x7fff6a5f8858) at ./main.c:93

Attachment: strcatsub
Description: Binary data