glob: pacify fuzzer for mempcpy

Problem reported by Tim Rühsen [1].  Sync with gnulib 0e14f025d2.

[1] https://lists.gnu.org/archive/html/bug-gnulib/2017-10/msg00054.html

Checked on x86_64-linux-gnu.

    * lib/glob.c (glob): Do not pass NULL to mempcpy.

Signed-off-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>

diff --git a/ChangeLog b/ChangeLog
index ae5cc39f65510c3f5fda05224dcf882e6449181d..af450546ebf6a1111b278e2e5504c48653c8664c 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+2017-12-19  Adhemerval Zanella  <adhemerval.zanella@linaro.org>
+
+       * lib/glob.c (glob): Do not pass NULL to mempcpy.
+
 2017-12-19  Joseph Myers  <joseph@codesourcery.com>
 
        * sysdeps/x86_64/fpu/libm-test-ulps: Update.

diff --git a/posix/glob.c b/posix/glob.c
index cb39779d0716d430b0580d2493f56e38f832cb79..511ec4bbc0fa44bc42eda279aad88df974229359 100644 (file)
--- a/posix/glob.c
+++ b/posix/glob.c
@@ -826,6 +826,7 @@ __glob (const char *pattern, int flags, int (*errfunc) (const char *, int),
              {
                size_t home_len = strlen (p->pw_dir);
                size_t rest_len = end_name == NULL ? 0 : strlen (end_name);
+               char *d;
 
                if (__glibc_unlikely (malloc_dirname))
                  free (dirname);
@@ -845,8 +846,10 @@ __glob (const char *pattern, int flags, int (*errfunc) (const char *, int),
                      }
                    malloc_dirname = 1;
                  }
-               *((char *) mempcpy (mempcpy (dirname, p->pw_dir, home_len),
-                                   end_name, rest_len)) = '\0';
+               d = mempcpy (dirname, p->pw_dir, home_len);
+               if (end_name != NULL)
+                 d = mempcpy (d, end_name, rest_len);
+               *d = '\0';
 
                dirlen = home_len + rest_len;
                dirname_modified = 1;