Fix BZ 18036 buffer overflow (read past end of buffer) in internal_fnmatch=>end_pattern
Commit Message
Greetings,
2015-02-27 Paul Pluzhnikov <ppluzhnikov@google.com>
[BZ #18036]
* posix/fnmatch_loop.c (END): Detect invalid pattern.
* posix/tst-fnmatch3.c (do_test): Add test case.
Comments
On 02/28/2015 06:25 AM, Paul Pluzhnikov wrote:
> else if ((*p == L('?') || *p == L('*') || *p == L('+') || *p == L('@')
> || *p == L('!')) && p[1] == L('('))
> - p = END (p + 1);
> + {
> + p = END (p + 1);
> + if (*p == L('\0'))
> + /* This is an invalid pattern. */
> + return pattern;
> + }
Okay to commit if you have checked that the test case actually tests the
bug. Thanks.
@@ -1036,7 +1036,12 @@ END (const CHAR *pattern)
}
else if ((*p == L('?') || *p == L('*') || *p == L('+') || *p == L('@')
|| *p == L('!')) && p[1] == L('('))
- p = END (p + 1);
+ {
+ p = END (p + 1);
+ if (*p == L('\0'))
+ /* This is an invalid pattern. */
+ return pattern;
+ }
else if (*p == L(')'))
break;
@@ -25,6 +25,8 @@ do_test (void)
return 1;
if (fnmatch ("[a[.\0.]]", "a", 0) != FNM_NOMATCH)
return 1;
+ if (fnmatch (" ", "**(!()", 0) != FNM_NOMATCH)
+ return 1;
return 0;
}