Fix read past end of pattern in fnmatch (bug 18032)

(cherry picked from commit 4a28f4d55a6cc33474c0792fe93b5942d81bf185)

Conflicts:
	NEWS

diff --git a/ChangeLog b/ChangeLog
index a4917cd2398f97d443169d7614567c765780871c..4a45f604288ff574282c56c0a520619240d1799b 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2016-02-25  Andreas Schwab  <schwab@suse.de>
+
+       [BZ #18032]
+       * posix/fnmatch_loop.c (FCT): Remove extra increment when skipping
+       over collating symbol inside a bracket expression.  Minor cleanup.
+       * posix/tst-fnmatch3.c (do_test): Add test case.
+
 2016-02-25  Paul Pluzhnikov  <ppluzhnikov@google.com>
 
        [BZ #17269]

diff --git a/NEWS b/NEWS
index 57a7f11b1f21073413067d73d4370a1fbbf64cb8..9392e3284501c55995ea1c5e6dfee1c369658601 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -10,7 +10,7 @@ Version 2.20.1
 * The following bugs are resolved with this release:
 
   16009, 16617, 16618, 17266, 17269, 17370, 17371, 17460, 17485, 17555,
-  17625, 17630, 17801, 18694, 18928, 19018.
+  17625, 17630, 17801, 18032, 18694, 18928, 19018.
 
 * The LD_POINTER_GUARD environment variable can no longer be used to
   disable the pointer guard feature.  It is always enabled.

diff --git a/posix/fnmatch_loop.c b/posix/fnmatch_loop.c
index db6d9d7c56be3510dc391d44eacb5d3d9ffe9766..f09b7ce5f020bd7bbdde333e9362740a68a5d5b4 100644 (file)
--- a/posix/fnmatch_loop.c
+++ b/posix/fnmatch_loop.c
@@ -940,14 +940,13 @@ FCT (pattern, string, string_end, no_leading_period, flags, ends, alloca_used)
                  }
                else if (c == L('[') && *p == L('.'))
                  {
-                   ++p;
                    while (1)
                      {
                        c = *++p;
-                       if (c == '\0')
+                       if (c == L('\0'))
                          return FNM_NOMATCH;
 
-                       if (*p == L('.') && p[1] == L(']'))
+                       if (c == L('.') && p[1] == L(']'))
                          break;
                      }
                    p += 2;

diff --git a/posix/tst-fnmatch3.c b/posix/tst-fnmatch3.c
index 2a83c1bfb7da0f9e2f64a0231d2b7ac3fa80546c..e03e478ca2741ab5ae751caa4d20520f3451190a 100644 (file)
--- a/posix/tst-fnmatch3.c
+++ b/posix/tst-fnmatch3.c
@@ -21,9 +21,11 @@
 int
 do_test (void)
 {
-  const char *pattern = "[[:alpha:]'[:alpha:]\0]";
-
-  return fnmatch (pattern, "a", 0) != FNM_NOMATCH;
+  if (fnmatch ("[[:alpha:]'[:alpha:]\0]", "a", 0) != FNM_NOMATCH)
+    return 1;
+  if (fnmatch ("[a[.\0.]]", "a", 0) != FNM_NOMATCH)
+    return 1;
+  return 0;
 }
 
 #define TEST_FUNCTION do_test ()