Reproduced by compiling yash with AddressSanitizer and run this script.
[[($ =~($(
AddressSanitizer output:
freed by thread T0 here:
#0 0x525022 in free (/home/ubuntu/repos/yash/parser_fuzzer+0x525022)
#1 0x588cc6 in wordunitfree /home/ubuntu/repos/yash/parser.c:202:5
#2 0x588917 in wordfree /home/ubuntu/repos/yash/parser.c:209:2
#3 0x58cf6f in next_token /home/ubuntu/repos/yash/parser.c:1022:5
#4 0x592891 in extract_command_in_paren /home/ubuntu/repos/yash/parser.c:1558:2
#5 0x5919fd in parse_cmdsubst_in_paren /home/ubuntu/repos/yash/parser.c:1524:22
#6 0x58f63b in parse_special_word_unit /home/ubuntu/repos/yash/parser.c:1276:13
#7 0x598d9f in parse_double_bracket_operand_regex /home/ubuntu/repos/yash/parser.c:2981:20
MAKE_WORDUNIT_STRING on parser.c:2980 reads a token and saves it to lastp, but invoking parse_special_word_unit on parser.c:2981 which eventually calls next_token will free lastp, as shown in the above stack trace. So writing to lastp on parser.c:2984 is detected by AddressSanitizer as heap-use-after-free:
==27393==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000000580 at pc 0x000000599119 bp 0x7ffd83c3df90 sp 0x7ffd83c3df88
WRITE of size 8 at 0x603000000580 thread T0
#0 0x599118 in parse_double_bracket_operand_regex /home/ubuntu/repos/yash/parser.c:2984:14
Line numbers are from commit dbdfea29bf002abd3f134e1bfd942aa2a28ab7ab.
Reproduced by compiling yash with AddressSanitizer and run this script.
AddressSanitizer output:
MAKE_WORDUNIT_STRING on parser.c:2980 reads a token and saves it to lastp, but invoking parse_special_word_unit on parser.c:2981 which eventually calls next_token will free lastp, as shown in the above stack trace. So writing to lastp on parser.c:2984 is detected by AddressSanitizer as heap-use-after-free:
Line numbers are from commit dbdfea29bf002abd3f134e1bfd942aa2a28ab7ab.