You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
62 lines
1.6 KiB
62 lines
1.6 KiB
commit c2c6d39fab901c97c18fa3a3a3658d9dc3f7df61 |
|
Author: Paul Pluzhnikov <ppluzhnikov@google.com> |
|
Date: Mon Mar 2 13:34:22 2015 -0800 |
|
|
|
Fix BZ 18036 buffer overflow (read past end of buffer) in internal_fnmatch |
|
|
|
--- glibc-2.17-c758a686/posix/fnmatch_loop.c |
|
+++ glibc-2.17-c758a686/posix/fnmatch_loop.c |
|
@@ -1036,7 +1036,12 @@ END (const CHAR *pattern) |
|
} |
|
else if ((*p == L('?') || *p == L('*') || *p == L('+') || *p == L('@') |
|
|| *p == L('!')) && p[1] == L('(')) |
|
- p = END (p + 1); |
|
+ { |
|
+ p = END (p + 1); |
|
+ if (*p == L('\0')) |
|
+ /* This is an invalid pattern. */ |
|
+ return pattern; |
|
+ } |
|
else if (*p == L(')')) |
|
break; |
|
|
|
diff --git glibc-2.17-c758a686/posix/tst-fnmatch3.c glibc-2.17-c758a686/posix/tst-fnmatch3.c |
|
index 75bc00a..fdf9934 100644 |
|
--- glibc-2.17-c758a686/posix/tst-fnmatch3.c |
|
+++ glibc-2.17-c758a686/posix/tst-fnmatch3.c |
|
@@ -17,6 +17,26 @@ |
|
<http://www.gnu.org/licenses/>. */ |
|
|
|
#include <fnmatch.h> |
|
+#include <sys/mman.h> |
|
+#include <string.h> |
|
+#include <unistd.h> |
|
+ |
|
+int |
|
+do_bz18036 (void) |
|
+{ |
|
+ const char p[] = "**(!()"; |
|
+ const int pagesize = getpagesize (); |
|
+ |
|
+ char *pattern = mmap (0, 2 * pagesize, PROT_READ|PROT_WRITE, |
|
+ MAP_PRIVATE|MAP_ANONYMOUS, -1, 0); |
|
+ if (pattern == MAP_FAILED) return 1; |
|
+ |
|
+ mprotect (pattern + pagesize, pagesize, PROT_NONE); |
|
+ memset (pattern, ' ', pagesize); |
|
+ strcpy (pattern, p); |
|
+ |
|
+ return fnmatch (pattern, p, FNM_EXTMATCH); |
|
+} |
|
|
|
int |
|
do_test (void) |
|
@@ -25,7 +45,7 @@ do_test (void) |
|
return 1; |
|
if (fnmatch ("[a[.\0.]]", "a", 0) != FNM_NOMATCH) |
|
return 1; |
|
- return 0; |
|
+ return do_bz18036 (); |
|
} |
|
|
|
#define TEST_FUNCTION do_test ()
|
|
|