Fix read past end of pattern in fnmatch (bug 18032)

diff --git a/ChangeLog b/ChangeLog
index 432c35d5aac6bcc111fed6f20f5b6dcfd007cb15..90c42c85a3622cb172b1051919645c8a4a82c8bc 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2015-02-26  Andreas Schwab  <schwab@suse.de>
+
+       [BZ #18032]
+       * posix/fnmatch_loop.c (FCT): Remove extra increment when skipping
+       over collating symbol inside a bracket expression.  Minor cleanup.
+       * posix/tst-fnmatch3.c (do_test): Add test case.
+
 2015-02-26  Joseph Myers  <joseph@codesourcery.com>
 
        [BZ #18029]

diff --git a/NEWS b/NEWS
index 75e83e0a1749a579a3aaa28f9ab9e54d567fa323..77e081464d509443afaf864e2ce3af1286371d48 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -12,7 +12,7 @@ Version 2.22
   4719, 14841, 13064, 14094, 15319, 15467, 15790, 15969, 16560, 16783,
   17269, 17523, 17569, 17588, 17792, 17836, 17912, 17916, 17932, 17944,
   17949, 17964, 17965, 17967, 17969, 17978, 17987, 17991, 17996, 17998,
-  17999, 18019, 18020, 18029.
+  17999, 18019, 18020, 18029, 18032.
 
 * Character encoding and ctype tables were updated to Unicode 7.0.0, using
   new generator scripts contributed by Pravin Satpute and Mike FABIAN (Red

diff --git a/posix/fnmatch_loop.c b/posix/fnmatch_loop.c
index c0cb2fc3e6cd5280043207d40a1d8f119ca5d3cf..72c5d8f0413379b0027e9ec6d11ab9c706d6b6ac 100644 (file)
--- a/posix/fnmatch_loop.c
+++ b/posix/fnmatch_loop.c
@@ -945,14 +945,13 @@ FCT (pattern, string, string_end, no_leading_period, flags, ends, alloca_used)
                  }
                else if (c == L('[') && *p == L('.'))
                  {
-                   ++p;
                    while (1)
                      {
                        c = *++p;
-                       if (c == '\0')
+                       if (c == L('\0'))
                          return FNM_NOMATCH;
 
-                       if (*p == L('.') && p[1] == L(']'))
+                       if (c == L('.') && p[1] == L(']'))
                          break;
                      }
                    p += 2;

diff --git a/posix/tst-fnmatch3.c b/posix/tst-fnmatch3.c
index d27a557c7cb1d46f02aa09fa900acdf38a32f9f8..75bc00a2c56669b2cc9a1e6f85557513e6685f50 100644 (file)
--- a/posix/tst-fnmatch3.c
+++ b/posix/tst-fnmatch3.c
@@ -21,9 +21,11 @@
 int
 do_test (void)
 {
-  const char *pattern = "[[:alpha:]'[:alpha:]\0]";
-
-  return fnmatch (pattern, "a", 0) != FNM_NOMATCH;
+  if (fnmatch ("[[:alpha:]'[:alpha:]\0]", "a", 0) != FNM_NOMATCH)
+    return 1;
+  if (fnmatch ("[a[.\0.]]", "a", 0) != FNM_NOMATCH)
+    return 1;
+  return 0;
 }
 
 #define TEST_FUNCTION do_test ()