On Wed, Dec 06, 2023 at 05:28:19PM +0800, wang yuhang via Bug reports for the GNU Bourne Again SHell wrote: > When the for loop reaches env, the values of each env are: > [...] > (gdb) p env[16] > $21 = 0x7ffce3c2e25a "DIRNAME_ALIAS" > (gdb) p env[17] > $22 = 0x7ffce3c2e279 "PID="
The missing '=' in DIRNAME_ALIAS appears to be noteworthy. I could imagine a library function scanning through these strings, and for each one, iterating from the start and looking for '='. In the case of DIRNAME_ALIAS, it never finds one, so it marches off past the edge of the allocated memory chunk. This is pure speculation, of course, until someone actually tests it.
