While fuzzing bash 4.4.0(1)-beta compiled from the devel branch, I found a 'script' that causes a segfault. The attached also crashes bash 4.2.37(1)-release. The file is 1012B in size and I was unable to minimize it any further using the afl-tmin tool that comes with the AFL fuzzer.
Program received signal SIGSEGV, Segmentation fault.
#13 0x0000000000429bdb in main () at shell.c:767
==47296== Command: /home/geeknik/bash/bash test00
==47296==
==47296== Conditional jump or move depends on uninitialised value(s)
==47296== at 0x5643B0: extract_delimited_string (subst.c:1293)
==47296== by 0x564FF0: extract_delimited_string (subst.c:1350)
==47296== by 0x564FF0: extract_delimited_string (subst.c:1350)
==47296== by 0x564FF0: extract_delimited_string (subst.c:1350)
==47296== by 0x564FF0: extract_delimited_string (subst.c:1350)
==47296== by 0x562F52: skip_matched_pair.constprop.27 (subst.c:1702)
==47296== by 0x5635CB: skipsubscript (subst.c:1724)
==47296== by 0x5635CB: string_extract.constprop.26 (subst.c:779)
==47296== by 0x596423: parameter_brace_expand (subst.c:7604)
==47296== by 0x5A1EEB: param_expand (subst.c:8384)
==47296== by 0x5A94A6: expand_word_internal (subst.c:8936)
==47296== by 0x5B2B93: call_expand_word_internal (subst.c:3348)
==47296== by 0x5B2B93: expand_string_assignment (subst.c:3436)
==47296== by 0x5B4584: expand_string_if_necessary (subst.c:3139)
==47296== by 0x5B4584: do_assignment_internal (subst.c:2867)
==47296==
==47296== Conditional jump or move depends on uninitialised value(s)
==47296== at 0x5643B0: extract_delimited_string (subst.c:1293)
==47296== by 0x564FF0: extract_delimited_string (subst.c:1350)
==47296== by 0x564FF0: extract_delimited_string (subst.c:1350)
==47296== by 0x562F52: skip_matched_pair.constprop.27 (subst.c:1702)
==47296== by 0x5635CB: skipsubscript (subst.c:1724)
==47296== by 0x5635CB: string_extract.constprop.26 (subst.c:779)
==47296== by 0x596423: parameter_brace_expand (subst.c:7604)
==47296== by 0x5A1EEB: param_expand (subst.c:8384)
==47296== by 0x5A94A6: expand_word_internal (subst.c:8936)
==47296== by 0x5B2B93: call_expand_word_internal (subst.c:3348)
==47296== by 0x5B2B93: expand_string_assignment (subst.c:3436)
==47296== by 0x5B4584: expand_string_if_necessary (subst.c:3139)
==47296== by 0x5B4584: do_assignment_internal (subst.c:2867)
==47296== by 0x5C8711: do_word_assignment (subst.c:2956)
==47296== by 0x5C8711: expand_word_list_internal (subst.c:10267)
==47296== by 0x4A9964: execute_simple_command (execute_cmd.c:4079)
==47296==
==47296== Conditional jump or move depends on uninitialised value(s)
==47296== at 0x5643B0: extract_delimited_string (subst.c:1293)
==47296== by 0x564FF0: extract_delimited_string (subst.c:1350)
==47296== by 0x562F52: skip_matched_pair.constprop.27 (subst.c:1702)
==47296== by 0x5635CB: skipsubscript (subst.c:1724)
==47296== by 0x5635CB: string_extract.constprop.26 (subst.c:779)
==47296== by 0x596423: parameter_brace_expand (subst.c:7604)
==47296== by 0x5A1EEB: param_expand (subst.c:8384)
==47296== by 0x5A94A6: expand_word_internal (subst.c:8936)
==47296== by 0x5B2B93: call_expand_word_internal (subst.c:3348)
==47296== by 0x5B2B93: expand_string_assignment (subst.c:3436)
==47296== by 0x5B4584: expand_string_if_necessary (subst.c:3139)
==47296== by 0x5B4584: do_assignment_internal (subst.c:2867)
==47296== by 0x5C8711: do_word_assignment (subst.c:2956)
==47296== by 0x5C8711: expand_word_list_internal (subst.c:10267)
==47296== by 0x4A9964: execute_simple_command (execute_cmd.c:4079)
==47296== by 0x4B497D: execute_command_internal (execute_cmd.c:813)
==47296==
==47296== Invalid read of size 1
==47296== at 0x5643A5: extract_delimited_string (subst.c:1291)
==47296== by 0x562F52: skip_matched_pair.constprop.27 (subst.c:1702)
==47296== by 0x5635CB: skipsubscript (subst.c:1724)
==47296== by 0x5635CB: string_extract.constprop.26 (subst.c:779)
==47296== by 0x596423: parameter_brace_expand (subst.c:7604)
==47296== by 0x5A1EEB: param_expand (subst.c:8384)
==47296== by 0x5A94A6: expand_word_internal (subst.c:8936)
==47296== by 0x5B2B93: call_expand_word_internal (subst.c:3348)
==47296== by 0x5B2B93: expand_string_assignment (subst.c:3436)
==47296== by 0x5B4584: expand_string_if_necessary (subst.c:3139)
==47296== by 0x5B4584: do_assignment_internal (subst.c:2867)
==47296== by 0x5C8711: do_word_assignment (subst.c:2956)
==47296== by 0x5C8711: expand_word_list_internal (subst.c:10267)
==47296== by 0x4A9964: execute_simple_command (execute_cmd.c:4079)
==47296== by 0x4B497D: execute_command_internal (execute_cmd.c:813)
==47296== by 0x4BCF1C: execute_command (execute_cmd.c:416)
==47296== Address 0x423c000 is not stack'd, malloc'd or (recently) free'd
==47296==
==47296==
==47296== Process terminating with default action of signal 11 (SIGSEGV)
==47296== Access not within mapped region at address 0x423C000
==47296== at 0x5643A5: extract_delimited_string (subst.c:1291)
==47296== by 0x562F52: skip_matched_pair.constprop.27 (subst.c:1702)
==47296== by 0x5635CB: skipsubscript (subst.c:1724)
==47296== by 0x5635CB: string_extract.constprop.26 (subst.c:779)
==47296== by 0x596423: parameter_brace_expand (subst.c:7604)
==47296== by 0x5A1EEB: param_expand (subst.c:8384)
==47296== by 0x5A94A6: expand_word_internal (subst.c:8936)
==47296== by 0x5B2B93: call_expand_word_internal (subst.c:3348)
==47296== by 0x5B2B93: expand_string_assignment (subst.c:3436)
==47296== by 0x5B4584: expand_string_if_necessary (subst.c:3139)
==47296== by 0x5B4584: do_assignment_internal (subst.c:2867)
==47296== by 0x5C8711: do_word_assignment (subst.c:2956)
==47296== by 0x5C8711: expand_word_list_internal (subst.c:10267)
==47296== by 0x4A9964: execute_simple_command (execute_cmd.c:4079)
==47296== by 0x4B497D: execute_command_internal (execute_cmd.c:813)
==47296== by 0x4BCF1C: execute_command (execute_cmd.c:416)
==47296== If you believe this happened as a result of a stack
==47296== overflow in your program's main thread (unlikely but
==47296== possible), you can try to increase the size of the
==47296== main thread stack using the --main-stacksize= flag.
==47296== The main thread stack size used in this run was 8388608.
==47296==
==47296== HEAP SUMMARY:
==47296== in use at exit: 0 bytes in 0 blocks
==47296== total heap usage: 0 allocs, 0 frees, 0 bytes allocated
==47296==
==47296== All heap blocks were freed -- no leaks are possible
==47296==
==47296== For counts of detected and suppressed errors, rerun with: -v
==47296== Use --track-origins=yes to see where uninitialised values come from
==47296== ERROR SUMMARY: 5 errors from 4 contexts (suppressed: 2 from 2)
Segmentation fault