From patchwork Sat Feb 28 05:25:42 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Paul Pluzhnikov <ppluzhnikov@gmail.com>
X-Patchwork-Id: 5359
Received: (qmail 58079 invoked by alias); 28 Feb 2015 05:26:18 -0000
Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <libc-alpha.sourceware.org>
List-Unsubscribe: <mailto:libc-alpha-unsubscribe-##L=##H@sourceware.org>
List-Subscribe: <mailto:libc-alpha-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-help@sourceware.org>,
	<http://sourceware.org/ml/#faqs>
Sender: libc-alpha-owner@sourceware.org
Delivered-To: mailing list libc-alpha@sourceware.org
Received: (qmail 58070 invoked by uid 89); 28 Feb 2015 05:26:17 -0000
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=1.3 required=5.0 tests=AWL, BAYES_00,
	FREEMAIL_FROM, KAM_FROM_URIBL_PCCC, RCVD_IN_DNSWL_LOW,
	SPF_PASS, T_RP_MATCHES_RCVD autolearn=no version=3.3.2
X-HELO: mail-oi0-f44.google.com
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:mime-version:sender:from:date:message-id:subject
	:to:content-type;
	bh=9UTxcyehZwbYqolvmjSH1WI9QKAh0TAfRhn5VPRtylQ=;
	b=bJ5WZqTecEZtGOxQq2M+1wcld7l7/6104OPGYaAYmm0JMRGqOaWE/ro86TfmMsEcRS
	F7n7RXd42Js1JDHI6Z6gDbr/8Ar7/BguMqL42OwuhEk3T0mHjBuLw3VCgWY6fIYq1rtQ
	WuUhD7LkXtvodPvGVkX/Cf1NRbn4yaNnlACXtF+War1+a0hinkb5O2DrMpcNLAiYE2f8
	/h8M5rTFUweOH6sx8pPXHYrBJ0y/8BbYnfP4wCGzyV8G8QKjhdhfsu1B6FTnMM3AM4DX
	k5GyFO6h/A/Z1oLetTIjEhfdYL6J6jOX6K3j1vsIE8A/xSlKDyBf9+B5W2h46j3Jm+3Z
	Pj7A==
X-Gm-Message-State: 
 ALoCoQlrbRIhC3YfL/1Ho+9V8QYbMEo4XrEnvrro+v4YQxJNmUfiXfBIbQ5TQBWLV6A+jhV8GuC6
X-Received: by 10.182.230.132 with SMTP id sy4mr12571343obc.29.1425101172756;
	Fri, 27 Feb 2015 21:26:12 -0800 (PST)
MIME-Version: 1.0
From: Paul Pluzhnikov <ppluzhnikov@gmail.com>
Date: Fri, 27 Feb 2015 21:25:42 -0800
Message-ID: 
 <CALoOobOKfc9XKEQMbv9uwXTEaer-t=d1FwfOMv61YAOBUBV3_A@mail.gmail.com>
Subject: [patch] Fix BZ 18036 buffer overflow (read past end of buffer) in
	internal_fnmatch=>end_pattern
To: GLIBC Devel <libc-alpha@sourceware.org>

Greetings,


2015-02-27  Paul Pluzhnikov  <ppluzhnikov@google.com>

        [BZ #18036]
        * posix/fnmatch_loop.c (END): Detect invalid pattern.
        * posix/tst-fnmatch3.c (do_test): Add test case.

diff --git a/posix/fnmatch_loop.c b/posix/fnmatch_loop.c
index 72c5d8f..f46c9df 100644
--- a/posix/fnmatch_loop.c
+++ b/posix/fnmatch_loop.c
@@ -1036,7 +1036,12 @@ END (const CHAR *pattern)
       }
     else if ((*p == L('?') || *p == L('*') || *p == L('+') || *p == L('@')
 	      || *p == L('!')) && p[1] == L('('))
-      p = END (p + 1);
+      {
+	p = END (p + 1);
+	if (*p == L('\0'))
+	  /* This is an invalid pattern.  */
+	  return pattern;
+      }
     else if (*p == L(')'))
       break;
 
diff --git a/posix/tst-fnmatch3.c b/posix/tst-fnmatch3.c
index 75bc00a..7822a35 100644
--- a/posix/tst-fnmatch3.c
+++ b/posix/tst-fnmatch3.c
@@ -25,6 +25,8 @@ do_test (void)
     return 1;
   if (fnmatch ("[a[.\0.]]", "a", 0) != FNM_NOMATCH)
     return 1;
+  if (fnmatch ("         ", "**(!()", 0) != FNM_NOMATCH)
+    return 1;
   return 0;
 }