Don't read past end of pattern in fnmatch (BZ17062)

author Stan Shebs <stanshebs@google.com>

Wed, 11 Jan 2017 02:44:57 +0000 (18:44 -0800)

committer Stan Shebs <stanshebs@google.com>

Wed, 11 Jan 2017 02:44:57 +0000 (18:44 -0800)
author Stan Shebs <stanshebs@google.com>
Wed, 11 Jan 2017 02:44:57 +0000 (18:44 -0800)
committer Stan Shebs <stanshebs@google.com>
Wed, 11 Jan 2017 02:44:57 +0000 (18:44 -0800)
diff --git a/README.google b/README.google

index 6677ba18da1515fbd972432c1a34e707c0c8f9df..bdaaacb983e5a48be0aa42febb0c4ed31d751fde 100644 (file)
--- a/README.google
+++ b/README.google
@@ -620,3 +620,8 @@ nss/nss_files/files-XXX.c
    For b/26276654, don't ignore too long lines in nss_files (BZ17079, CVE-2015-5277)
    https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=3fd498242948b1fa944c56646ec9b156387dd310
    (stanshebs, backport)
+
+posix/fnmatch_loop.c
+  Don't read past end of pattern in fnmatch (BZ17062)
+  https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=b3a9f56ba59c3d8eadd3135a1c25c37a63151450
+  (stanshebs, backport)
diff --git a/posix/fnmatch_loop.c b/posix/fnmatch_loop.c

index ce404c4c61aa0c562e41a163cce2834f62e4ee1e..18add2d8ef9715dae7efbf0c7d89895f3026ab40 100644 (file)
--- a/posix/fnmatch_loop.c
+++ b/posix/fnmatch_loop.c
@@ -899,11 +899,8 @@ FCT (pattern, string, string_end, no_leading_period, flags, ends, alloca_used)
  
           matched:
             /* Skip the rest of the [...] that already matched.  */
-           do
+           while ((c = *p++) != L (']'))
               {
-             ignore_next:
-               c = *p++;
-
                 if (c == L('\0'))
                   /* [... (unterminated) loses.  */
                   return FNM_NOMATCH;
@@ -931,12 +928,11 @@ FCT (pattern, string, string_end, no_leading_period, flags, ends, alloca_used)
  
                         if (c < L('a') || c >= L('z'))
                           {
-                           p = startp;
-                           goto ignore_next;
+                           p = startp - 2;
+                           break;
                           }
                       }
                     p += 2;
-                   c = *p++;
                   }
                 else if (c == L('[') && *p == L('='))
                   {
@@ -947,7 +943,6 @@ FCT (pattern, string, string_end, no_leading_period, flags, ends, alloca_used)
                     if (c != L('=') || p[1] != L(']'))
                       return FNM_NOMATCH;
                     p += 2;
-                   c = *p++;
                   }
                 else if (c == L('[') && *p == L('.'))
                   {
@@ -961,10 +956,8 @@ FCT (pattern, string, string_end, no_leading_period, flags, ends, alloca_used)
                           break;
                       }
                     p += 2;
-                   c = *p++;
                   }
               }
-           while (c != L(']'));
             if (not)
               return FNM_NOMATCH;
           }
author	Stan Shebs <stanshebs@google.com>
	Wed, 11 Jan 2017 02:44:57 +0000 (18:44 -0800)
committer	Stan Shebs <stanshebs@google.com>
	Wed, 11 Jan 2017 02:44:57 +0000 (18:44 -0800)
README.google		patch \| blob \| blame \| history
posix/fnmatch_loop.c		patch \| blob \| blame \| history