[uclibc-ng-devel] Possible read-beyond string parameter in fnmatch()

25 Oct 2023

      Hi all,
in certain cases,
fnmatch(pattern, string, flags)
reads beyond the end of pattern. This can be triggered by parameters
like this:
fnmatch(""[A-Z[.", "F", 0);
The corresponding code can be found here:
https://cgit.uclibc-ng.org/cgi/cgit/uclibc-ng.git/tree/libc/misc/fnmatch/fnm...
After line 920 is executed, p points to '\0' (the end of the pattern).
Then, in line 923, p is unconditionally increased again and the value
_after_ the end of the pattern is read (to find out if the pattern has
ended).
Suggested fix: Just remove line 920.
Kind regards,
Frank
-- 
Dr.-Ing. Frank Mehnert, frank.mehnert@kernkonzept.com, +49-351-41 883 224

Kernkonzept GmbH.  Sitz: Dresden.  Amtsgericht Dresden, HRB 31129.
Geschäftsführer: Dr.-Ing. Michael Hohmuth

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

[uclibc-ng-devel] Possible read-beyond string parameter in fnmatch()