Fix BZ 18036 buffer overflow (read past end of buffer) in internal_fnmatch

diff --git a/ChangeLog b/ChangeLog
index 5226f3decb3c8d2b9d660b810d0c887101c00f95..98fbedb4f75406833a21d891a17d3333dc8d0f13 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2015-03-02  Paul Pluzhnikov  <ppluzhnikov@google.com>
+
+       [BZ #18036]
+       * posix/fnmatch_loop.c (END): Detect invalid pattern.
+       * posix/tst-fnmatch3.c (do_bz18036): Add test case.
+
 2015-03-02  Andreas Schwab  <schwab@suse.de>
 
        * elf/Makefile ($(elf-objpfx)runtime-linker.st): Fix typo in

diff --git a/NEWS b/NEWS
index 1c54ede4a1736b49e736ecbe3f12d984a44caf9f..8976f1100d81c02f66685facd6f504b6f04dc6e2 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -12,8 +12,8 @@ Version 2.22
   4719, 14841, 13064, 14094, 15319, 15467, 15790, 15969, 16351, 16560,
   16783, 17269, 17523, 17569, 17588, 17711, 17792, 17836, 17912, 17916,
   17932, 17944, 17949, 17964, 17965, 17967, 17969, 17978, 17987, 17991,
-  17996, 17998, 17999, 18019, 18020, 18029, 18030, 18032, 18038, 18039,
-  18046, 18047.
+  17996, 17998, 17999, 18019, 18020, 18029, 18030, 18032, 18036, 18038,
+  18039, 18046, 18047.
 
 * Character encoding and ctype tables were updated to Unicode 7.0.0, using
   new generator scripts contributed by Pravin Satpute and Mike FABIAN (Red

diff --git a/posix/fnmatch_loop.c b/posix/fnmatch_loop.c
index 72c5d8f0413379b0027e9ec6d11ab9c706d6b6ac..f46c9dfedb6e95cfcce1f21934894ebd049b2fe7 100644 (file)
--- a/posix/fnmatch_loop.c
+++ b/posix/fnmatch_loop.c
@@ -1036,7 +1036,12 @@ END (const CHAR *pattern)
       }
     else if ((*p == L('?') || *p == L('*') || *p == L('+') || *p == L('@')
              || *p == L('!')) && p[1] == L('('))
-      p = END (p + 1);
+      {
+       p = END (p + 1);
+       if (*p == L('\0'))
+         /* This is an invalid pattern.  */
+         return pattern;
+      }
     else if (*p == L(')'))
       break;
 

diff --git a/posix/tst-fnmatch3.c b/posix/tst-fnmatch3.c
index 75bc00a2c56669b2cc9a1e6f85557513e6685f50..fdf99342e97cec6b64e7058656740a0cf7a85844 100644 (file)
--- a/posix/tst-fnmatch3.c
+++ b/posix/tst-fnmatch3.c
@@ -17,6 +17,26 @@
    <http://www.gnu.org/licenses/>.  */
 
 #include <fnmatch.h>
+#include <sys/mman.h>
+#include <string.h>
+#include <unistd.h>
+
+int
+do_bz18036 (void)
+{
+  const char p[] = "**(!()";
+  const int pagesize = getpagesize ();
+
+  char *pattern = mmap (0, 2 * pagesize, PROT_READ|PROT_WRITE,
+                        MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);
+  if (pattern == MAP_FAILED) return 1;
+
+  mprotect (pattern + pagesize, pagesize, PROT_NONE);
+  memset (pattern, ' ', pagesize);
+  strcpy (pattern, p);
+
+  return fnmatch (pattern, p, FNM_EXTMATCH);
+}
 
 int
 do_test (void)
@@ -25,7 +45,7 @@ do_test (void)
     return 1;
   if (fnmatch ("[a[.\0.]]", "a", 0) != FNM_NOMATCH)
     return 1;
-  return 0;
+  return do_bz18036 ();
 }
 
 #define TEST_FUNCTION do_test ()