[uclibc-ng-devel] Possible read-beyond string parameter in fnmatch()

Hi all, in certain cases, fnmatch(pattern, string, flags) reads beyond the end of pattern. This can be triggered by parameters like this: fnmatch(""[A-Z[.", "F", 0); The corresponding code can be found here: https://cgit.uclibc-ng.org/cgi/cgit/uclibc-ng.git/tree/libc/misc/fnmatch/fn… After line 920 is executed, p points to '\0' (the end of the pattern). Then, in line 923, p is unconditionally increased again and the value _after_ the end of the pattern is read (to find out if the pattern has ended). Suggested fix: Just remove line 920. Kind regards, Frank -- Dr.-Ing. Frank Mehnert, frank.mehnert(a)kernkonzept.com, +49-351-41 883 224 Kernkonzept GmbH. Sitz: Dresden. Amtsgericht Dresden, HRB 31129. Geschäftsführer: Dr.-Ing. Michael Hohmuth