--- /dev/null
+ BASH PATCH REPORT
+ =================
+
+Bash-Release: 5.2
+Patch-ID: bash52-021
+
+Bug-Reported-by: Norbert Lange <nolange79@gmail.com>
+Bug-Reference-ID: <CADYdroPZFdVZSL6KkhqkAPgKKopbsLQVSm7_TvLCwadL2=UAWw@mail.gmail.com>
+Bug-Reference-URL: https://lists.gnu.org/archive/html/bug-bash/2022-12/msg00046.html
+
+Bug-Description:
+
+There is an off-by-one error that causes command substitutions to fail when
+they appear in a word expansion inside a here-document.
+
+Patch (apply with `patch -p0'):
+
+*** ../bash-5.2-patched/subst.c 2022-12-13 12:08:58.000000000 -0500
+--- subst.c 2022-12-14 09:09:53.000000000 -0500
+***************
+*** 1694,1698 ****
+ CHECK_STRING_OVERRUN (i, si, slen, c);
+
+! tlen = si - i - 1;
+ RESIZE_MALLOCED_BUFFER (result, result_index, tlen + 4, result_size, 64);
+ result[result_index++] = c;
+--- 1699,1703 ----
+ CHECK_STRING_OVERRUN (i, si, slen, c);
+
+! tlen = si - i - 2;
+ RESIZE_MALLOCED_BUFFER (result, result_index, tlen + 4, result_size, 64);
+ result[result_index++] = c;
+***************
+*** 1714,1718 ****
+ CHECK_STRING_OVERRUN (i, si, slen, c);
+
+! tlen = si - i - 1;
+ RESIZE_MALLOCED_BUFFER (result, result_index, tlen + 4, result_size, 64);
+ result[result_index++] = c;
+--- 1719,1723 ----
+ CHECK_STRING_OVERRUN (i, si, slen, c);
+
+! tlen = si - i - 2;
+ RESIZE_MALLOCED_BUFFER (result, result_index, tlen + 4, result_size, 64);
+ result[result_index++] = c;
+
+*** ../bash-5.2/patchlevel.h 2020-06-22 14:51:03.000000000 -0400
+--- patchlevel.h 2020-10-01 11:01:28.000000000 -0400
+***************
+*** 26,30 ****
+ looks for to find the patch level (for the sccs version string). */
+
+! #define PATCHLEVEL 20
+
+ #endif /* _PATCHLEVEL_H_ */
+--- 26,30 ----
+ looks for to find the patch level (for the sccs version string). */
+
+! #define PATCHLEVEL 21
+
+ #endif /* _PATCHLEVEL_H_ */