CVE-2017-15670: glob: Fix one-byte overflow [BZ #22320]

(cherry picked from commit c369d66e5426a30e4725b100d5cd28e372754f90)

diff --git a/ChangeLog b/ChangeLog
index 31377d939e2c16cea3b557c63ca1d812d209573f..7e06bb0c9764c2ef3cd084bd5726289861b415a6 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2017-10-20  Paul Eggert <eggert@cs.ucla.edu>
+
+       [BZ #22320]
+       CVE-2017-15670
+       * posix/glob.c (__glob): Fix one-byte overflow.
+
 2017-09-08  Adhemerval Zanella  <adhemerval.zanella@linaro.org>
 
        [BZ #1062]

diff --git a/NEWS b/NEWS
index db81e9e6b14e980098e2f3d1919399a73512160f..d79e8bcaa13fddf13d2153f5dc5c0c7184b5cc29 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -95,6 +95,11 @@ Version 2.22.1
 * CVE-2018-6551: The malloc function, when called with an object size near
   the value of SIZE_MAX, would return a pointer to a buffer which is too
   small, instead of NULL.
+
+* CVE-2017-15670: The glob function, when invoked with GLOB_TILDE, suffered
+  from a one-byte overflow during ~ operator processing (either on the stack
+  or the heap, depending on the length of the user name).
+
 \f
 Version 2.22
 

diff --git a/posix/glob.c b/posix/glob.c
index 25f7b5822a27f355be08682eefa25433b0c2ee7f..cd28dc52a25199dc89e8e685cd72375ce5ce1243 100644 (file)
--- a/posix/glob.c
+++ b/posix/glob.c
@@ -886,7 +886,7 @@ glob (pattern, flags, errfunc, pglob)
                  *p = '\0';
                }
              else
-               *((char *) mempcpy (newp, dirname + 1, end_name - dirname))
+               *((char *) mempcpy (newp, dirname + 1, end_name - dirname - 1))
                  = '\0';
              user_name = newp;
            }