From patchwork Thu Feb 26 14:00:42 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Andreas Schwab <schwab@suse.de>
X-Patchwork-Id: 5311
Received: (qmail 55617 invoked by alias); 26 Feb 2015 14:00:58 -0000
Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <libc-alpha.sourceware.org>
List-Unsubscribe: <mailto:libc-alpha-unsubscribe-##L=##H@sourceware.org>
List-Subscribe: <mailto:libc-alpha-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-help@sourceware.org>,
	<http://sourceware.org/ml/#faqs>
Sender: libc-alpha-owner@sourceware.org
Delivered-To: mailing list libc-alpha@sourceware.org
Received: (qmail 55592 invoked by uid 89); 26 Feb 2015 14:00:56 -0000
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-2.9 required=5.0 tests=AWL, BAYES_00,
	T_RP_MATCHES_RCVD autolearn=ham version=3.3.2
X-HELO: mx2.suse.de
From: Andreas Schwab <schwab@suse.de>
To: libc-alpha@sourceware.org
Subject: [PATCH] Fix read past end of pattern in fnmatch (bug 18032)
X-Yow: Your CHEEKS sit like twin NECTARINES above a MOUTH that knows no
	BOUNDS --
Date: Thu, 26 Feb 2015 15:00:42 +0100
Message-ID: <mvmk2z4ydpx.fsf@hawking.suse.de>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.4.90 (gnu/linux)
MIME-Version: 1.0

[BZ #18032]
	* posix/fnmatch_loop.c (FCT): Remove extra increment when skipping
	over collating symbol inside a bracket expression.
	* posix/tst-fnmatch3.c (do_test): Add test case.
---
 posix/fnmatch_loop.c | 5 ++---
 posix/tst-fnmatch3.c | 8 +++++---
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/posix/fnmatch_loop.c b/posix/fnmatch_loop.c
index 60e7ccb..8980c6c 100644
--- a/posix/fnmatch_loop.c
+++ b/posix/fnmatch_loop.c
@@ -892,14 +892,13 @@ FCT (pattern, string, string_end, no_leading_period, flags, ends, alloca_used)
 		  }
 		else if (c == L('[') && *p == L('.'))
 		  {
-		    ++p;
 		    while (1)
 		      {
 			c = *++p;
-			if (c == '\0')
+			if (c == L('\0'))
 			  return FNM_NOMATCH;
 
-			if (*p == L('.') && p[1] == L(']'))
+			if (c == L('.') && p[1] == L(']'))
 			  break;
 		      }
 		    p += 2;
diff --git a/posix/tst-fnmatch3.c b/posix/tst-fnmatch3.c
index d27a557..75bc00a 100644
--- a/posix/tst-fnmatch3.c
+++ b/posix/tst-fnmatch3.c
@@ -21,9 +21,11 @@
 int
 do_test (void)
 {
-  const char *pattern = "[[:alpha:]'[:alpha:]\0]";
-
-  return fnmatch (pattern, "a", 0) != FNM_NOMATCH;
+  if (fnmatch ("[[:alpha:]'[:alpha:]\0]", "a", 0) != FNM_NOMATCH)
+    return 1;
+  if (fnmatch ("[a[.\0.]]", "a", 0) != FNM_NOMATCH)
+    return 1;
+  return 0;
 }
 
 #define TEST_FUNCTION do_test ()