From: Adhemerval Zanella <adhemerval.zanella@linaro.org>
Date: Tue, 19 Dec 2017 16:27:09 +0000 (-0200)
Subject: glob: pacify fuzzer for mempcpy
X-Git-Tag: glibc-2.27~243
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d711a00f93fa964f41a53839228598fbf1a6b482;p=thirdparty%2Fglibc.git

glob: pacify fuzzer for mempcpy

Problem reported by Tim Rühsen [1].  Sync with gnulib 0e14f025d2.

[1] https://lists.gnu.org/archive/html/bug-gnulib/2017-10/msg00054.html

Checked on x86_64-linux-gnu.

    * lib/glob.c (glob): Do not pass NULL to mempcpy.

Signed-off-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
---

diff --git a/ChangeLog b/ChangeLog
index ae5cc39f655..af450546ebf 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+2017-12-19  Adhemerval Zanella  <adhemerval.zanella@linaro.org>
+
+	* lib/glob.c (glob): Do not pass NULL to mempcpy.
+
 2017-12-19  Joseph Myers  <joseph@codesourcery.com>
 
 	* sysdeps/x86_64/fpu/libm-test-ulps: Update.
diff --git a/posix/glob.c b/posix/glob.c
index cb39779d071..511ec4bbc0f 100644
--- a/posix/glob.c
+++ b/posix/glob.c
@@ -826,6 +826,7 @@ __glob (const char *pattern, int flags, int (*errfunc) (const char *, int),
 	      {
 		size_t home_len = strlen (p->pw_dir);
 		size_t rest_len = end_name == NULL ? 0 : strlen (end_name);
+		char *d;
 
 		if (__glibc_unlikely (malloc_dirname))
 		  free (dirname);
@@ -845,8 +846,10 @@ __glob (const char *pattern, int flags, int (*errfunc) (const char *, int),
 		      }
 		    malloc_dirname = 1;
 		  }
-		*((char *) mempcpy (mempcpy (dirname, p->pw_dir, home_len),
-				    end_name, rest_len)) = '\0';
+		d = mempcpy (dirname, p->pw_dir, home_len);
+		if (end_name != NULL)
+		  d = mempcpy (d, end_name, rest_len);
+		*d = '\0';
 
 		dirlen = home_len + rest_len;
 		dirname_modified = 1;