This papers over GCC PR116884 because the triggering memset
is gone, and the strcpy call does not have bounds information
available.
Verified that the test still finds the original bug by
partially reverting commit c2c6d39fab901c97c18fa3a3a3658d9dc3f7df61
("Fix BZ 18036 buffer overflow (read past end of buffer) in
internal_fnmatch").
---
posix/tst-fnmatch3.c | 23 ++++++++++-------------
1 file changed, 10 insertions(+), 13 deletions(-)
@@ -20,22 +20,18 @@
#include <sys/mman.h>
#include <string.h>
#include <unistd.h>
+#include <support/check.h>
+#include <support/next_to_fault.h>
-int
+void
do_bz18036 (void)
{
const char p[] = "**(!()";
- const int pagesize = getpagesize ();
-
- char *pattern = mmap (0, 2 * pagesize, PROT_READ|PROT_WRITE,
- MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);
- if (pattern == MAP_FAILED) return 1;
-
- mprotect (pattern + pagesize, pagesize, PROT_NONE);
- memset (pattern, ' ', pagesize);
- strcpy (pattern, p);
-
- return fnmatch (pattern, p, FNM_EXTMATCH);
+ struct support_next_to_fault ntf
+ = support_next_to_fault_allocate (sizeof (p));
+ strcpy (ntf.buffer, p);
+ TEST_COMPARE (fnmatch (ntf.buffer, p, FNM_EXTMATCH), 0);
+ support_next_to_fault_free (&ntf);
}
int
@@ -45,7 +41,8 @@ do_test (void)
return 1;
if (fnmatch ("[a[.\0.]]", "a", 0) != FNM_NOMATCH)
return 1;
- return do_bz18036 ();
+ do_bz18036 ();
+ return 0;
}
#define TEST_FUNCTION do_test ()