From patchwork Wed Jun 18 10:20:28 2014
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Andreas Schwab <schwab@suse.de>
X-Patchwork-Id: 1545
Received: (qmail 19508 invoked by alias); 18 Jun 2014 10:20:34 -0000
Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <libc-alpha.sourceware.org>
List-Unsubscribe: <mailto:libc-alpha-unsubscribe-##L=##H@sourceware.org>
List-Subscribe: <mailto:libc-alpha-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-help@sourceware.org>,
	<http://sourceware.org/ml/#faqs>
Sender: libc-alpha-owner@sourceware.org
Delivered-To: mailing list libc-alpha@sourceware.org
Received: (qmail 19496 invoked by uid 89); 18 Jun 2014 10:20:33 -0000
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-2.9 required=5.0 tests=AWL, BAYES_00,
	T_RP_MATCHES_RCVD autolearn=ham version=3.3.2
X-HELO: mx2.suse.de
From: Andreas Schwab <schwab@suse.de>
To: libc-alpha@sourceware.org
Subject: [PATCH] Don't read past end of pattern in fnmatch (BZ #17062)
X-Yow: Feel th' WHIRLING BUFFERS buffing away all that stress...
	Years of ROAD TAR gently washing away...
Date: Wed, 18 Jun 2014 12:20:28 +0200
Message-ID: <mvmd2e6zfgz.fsf@hawking.suse.de>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux)
MIME-Version: 1.0

[BZ #17062]
	* posix/fnmatch_loop.c (FCT): Rerrange loop for skipping over rest
	of a bracket expr not to run off the end of the string.
	* posix/Makefile (tests): Add tst-fnmatch3.
	* posix/tst-fnmatch3.c: New file.
---
 posix/Makefile       |  3 ++-
 posix/fnmatch_loop.c | 13 +++----------
 posix/tst-fnmatch3.c | 30 ++++++++++++++++++++++++++++++
 3 files changed, 35 insertions(+), 11 deletions(-)
 create mode 100644 posix/tst-fnmatch3.c

diff --git a/posix/Makefile b/posix/Makefile
index 14e6cee..37d6d5f 100644
--- a/posix/Makefile
+++ b/posix/Makefile
@@ -86,7 +86,8 @@ tests		:= tstgetopt testfnm runtests runptests	     \
 		   tst-getaddrinfo3 tst-fnmatch2 tst-cpucount tst-cpuset \
 		   bug-getopt1 bug-getopt2 bug-getopt3 bug-getopt4 \
 		   bug-getopt5 tst-getopt_long1 bug-regex34 bug-regex35 \
-		   tst-pathconf tst-getaddrinfo4 tst-rxspencer-no-utf8
+		   tst-pathconf tst-getaddrinfo4 tst-rxspencer-no-utf8 \
+		   tst-fnmatch3
 xtests		:= bug-ga2
 ifeq (yes,$(build-shared))
 test-srcs	:= globtest
diff --git a/posix/fnmatch_loop.c b/posix/fnmatch_loop.c
index f79d051..544769b 100644
--- a/posix/fnmatch_loop.c
+++ b/posix/fnmatch_loop.c
@@ -899,11 +899,8 @@ FCT (pattern, string, string_end, no_leading_period, flags, ends, alloca_used)
 
 	  matched:
 	    /* Skip the rest of the [...] that already matched.  */
-	    do
+	    while ((c = *p++) != L (']'))
 	      {
-	      ignore_next:
-		c = *p++;
-
 		if (c == L('\0'))
 		  /* [... (unterminated) loses.  */
 		  return FNM_NOMATCH;
@@ -931,12 +928,11 @@ FCT (pattern, string, string_end, no_leading_period, flags, ends, alloca_used)
 
 			if (c < L('a') || c >= L('z'))
 			  {
-			    p = startp;
-			    goto ignore_next;
+			    p = startp - 2;
+			    break;
 			  }
 		      }
 		    p += 2;
-		    c = *p++;
 		  }
 		else if (c == L('[') && *p == L('='))
 		  {
@@ -947,7 +943,6 @@ FCT (pattern, string, string_end, no_leading_period, flags, ends, alloca_used)
 		    if (c != L('=') || p[1] != L(']'))
 		      return FNM_NOMATCH;
 		    p += 2;
-		    c = *p++;
 		  }
 		else if (c == L('[') && *p == L('.'))
 		  {
@@ -962,10 +957,8 @@ FCT (pattern, string, string_end, no_leading_period, flags, ends, alloca_used)
 			  break;
 		      }
 		    p += 2;
-		    c = *p++;
 		  }
 	      }
-	    while (c != L(']'));
 	    if (not)
 	      return FNM_NOMATCH;
 	  }
diff --git a/posix/tst-fnmatch3.c b/posix/tst-fnmatch3.c
new file mode 100644
index 0000000..2a83c1b
--- /dev/null
+++ b/posix/tst-fnmatch3.c
@@ -0,0 +1,30 @@
+/* Test for fnmatch not reading past the end of the pattern.
+   Copyright (C) 2014 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <http://www.gnu.org/licenses/>.  */
+
+#include <fnmatch.h>
+
+int
+do_test (void)
+{
+  const char *pattern = "[[:alpha:]'[:alpha:]\0]";
+
+  return fnmatch (pattern, "a", 0) != FNM_NOMATCH;
+}
+
+#define TEST_FUNCTION do_test ()
+#include "../test-skeleton.c"