diff options
author | Paul Pluzhnikov <ppluzhnikov@google.com> | 2015-03-02 13:34:22 -0800 |
---|---|---|
committer | Paul Pluzhnikov <ppluzhnikov@google.com> | 2015-03-02 13:34:22 -0800 |
commit | c2c6d39fab901c97c18fa3a3a3658d9dc3f7df61 (patch) | |
tree | 43cf2e4e4f302d8bf0a841d8e06ab510b4e4aea7 /posix | |
parent | e8b6be0016f131c2ac72bf3213eabdb59800e63b (diff) | |
download | glibc-c2c6d39fab901c97c18fa3a3a3658d9dc3f7df61.tar glibc-c2c6d39fab901c97c18fa3a3a3658d9dc3f7df61.tar.gz glibc-c2c6d39fab901c97c18fa3a3a3658d9dc3f7df61.tar.bz2 glibc-c2c6d39fab901c97c18fa3a3a3658d9dc3f7df61.zip |
Fix BZ 18036 buffer overflow (read past end of buffer) in internal_fnmatch
Diffstat (limited to 'posix')
-rw-r--r-- | posix/fnmatch_loop.c | 7 | ||||
-rw-r--r-- | posix/tst-fnmatch3.c | 22 |
2 files changed, 27 insertions, 2 deletions
diff --git a/posix/fnmatch_loop.c b/posix/fnmatch_loop.c index 72c5d8f041..f46c9dfedb 100644 --- a/posix/fnmatch_loop.c +++ b/posix/fnmatch_loop.c @@ -1036,7 +1036,12 @@ END (const CHAR *pattern) } else if ((*p == L('?') || *p == L('*') || *p == L('+') || *p == L('@') || *p == L('!')) && p[1] == L('(')) - p = END (p + 1); + { + p = END (p + 1); + if (*p == L('\0')) + /* This is an invalid pattern. */ + return pattern; + } else if (*p == L(')')) break; diff --git a/posix/tst-fnmatch3.c b/posix/tst-fnmatch3.c index 75bc00a2c5..fdf99342e9 100644 --- a/posix/tst-fnmatch3.c +++ b/posix/tst-fnmatch3.c @@ -17,6 +17,26 @@ <http://www.gnu.org/licenses/>. */ #include <fnmatch.h> +#include <sys/mman.h> +#include <string.h> +#include <unistd.h> + +int +do_bz18036 (void) +{ + const char p[] = "**(!()"; + const int pagesize = getpagesize (); + + char *pattern = mmap (0, 2 * pagesize, PROT_READ|PROT_WRITE, + MAP_PRIVATE|MAP_ANONYMOUS, -1, 0); + if (pattern == MAP_FAILED) return 1; + + mprotect (pattern + pagesize, pagesize, PROT_NONE); + memset (pattern, ' ', pagesize); + strcpy (pattern, p); + + return fnmatch (pattern, p, FNM_EXTMATCH); +} int do_test (void) @@ -25,7 +45,7 @@ do_test (void) return 1; if (fnmatch ("[a[.\0.]]", "a", 0) != FNM_NOMATCH) return 1; - return 0; + return do_bz18036 (); } #define TEST_FUNCTION do_test () |