Hi,

With a malformed input (see attachmend) sed can crash in the function
str_append_modified()

Test:
echo|./sed -f sed-nullptr-str_append_modified

Seems to be a null pointer access.
This only seems to happen in the git code of sed and not in 4.2.2.

This is the stack trace from address sanitizer:
==21489==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fd77e298c16 bp 0x611000009c86 sp 0x7fffe46649d0 T0)
    #0 0x7fd77e298c15 in wcrtomb /var/tmp/portage/sys-libs/glibc-2.22-r1/work/glibc-2.22/wcsmbs/wcrtomb.c:89
    #1 0x5029ca in str_append_modified /mnt/ram/sed-plain/sed/execute.c:273:11
    #2 0x4faa8c in append_replacement /mnt/ram/sed-plain/sed/execute.c:992:11
    #3 0x4faa8c in do_subst /mnt/ram/sed-plain/sed/execute.c:1078
    #4 0x4faa8c in execute_program /mnt/ram/sed-plain/sed/execute.c:1513
    #5 0x4faa8c in process_files /mnt/ram/sed-plain/sed/execute.c:1681
    #6 0x4e1365 in main /mnt/ram/sed-plain/sed/sed.c:362:17
    #7 0x7fd77e21b62f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r1/work/glibc-2.22/csu/libc-start.c:289
    #8 0x4191a8 in _start (/tmp/sed+0x4191a8)


This was found with the help of american fuzzy lop.

cu,
-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno@hboeck.de
GPG: BBB51E42