NULL pointer dereference in re_case_expand()

[ltx2018]

we found NULL pointer dereference in re_case_expand() by fuzz testing.

==8==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000004 (pc 0x00000057f8d9 bp 0x7ffff56ac5f0 sp 0x7ffff56ac470 T0)
==8==The signal is caused by a READ memory access.
==8==Hint: address points to the zero page.
SCARINESS: 10 (null-deref)
    #0 0x57f8d8 in re_case_expand /src/augeas/src/fa.c
    #1 0x57f0b3 in fa_expand_nocase /src/augeas/src/fa.c:4453:9
    #2 0x553bc0 in LLVMFuzzerTestOneInput /src/augeas/augeas_fa_fuzzer.cc:52:10
    #3 0x459d81 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:556:15
    #4 0x4449a1 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:292:6
    #5 0x44a65e in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:774:9
    #6 0x4747d2 in main /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10
    #7 0x7f9df1dee82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #8 0x41dd58 in _start (/out/augeas_fa_fuzzer+0x41dd58)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /src/augeas/src/fa.c in re_case_expand

it can be reproduced by simply run test code:

int Size = 4;
char *new_str = (char *)malloc(Size + 1);
if (new_str == NULL)
     return 1;
new_str[0] = '{';
new_str[1] = '&';
new_str[2] = '.';
new_str[3] = '{';
new_str[Size] = '\0';
char *s;
size_t len;
fa_expand_nocase(new_str, Size, &s, &len);

i think #670 can fix it

[ltx2018]

ping @raphink @lutter