In certain cases, fnmatch() could access the next byte beyond the end of he passed pattern. A triggering pattern to match is the following invocation:

fnmatch("[A-Z[.", "F", 0)

The normal A-Z group match gets us to fnmatch_loop.c:421 and then to fnmatch_loop:599. The F in the filaname matches this expression and we end up in fnmatch_loop:867 which handles skipping the rest of a bracked expression that already matched. Here we enter the case where the next chars to parse are a collating symbol starting with "[." (fnmatch_loop:918). Currently the p pointer is then advanced by one, moving it beyond the "." and to the \0 byte of the pattern string (fnmatch_loop:920). Inside the while loop the pointer is then incremented again and immediately dereferenced, reaching beyond the end of the pattern string.

The increment before the while loop must be removed, because only inside the while loop (after the other increment) a check for the end of the string is performend. This is sufficient and the check of the end of the collating symbol is only performed if p[1] is at most the terminating \0 byte.

Signed-Off-By: Frank Mehnert frank.mehnert@kernkonzept.com --- libc/misc/fnmatch/fnmatch_loop.c | 1 - 1 file changed, 1 deletion(-)

diff --git a/libc/misc/fnmatch/fnmatch_loop.c b/libc/misc/fnmatch/fnmatch_loop.c index 32ee079a3..025510de6 100644 --- a/libc/misc/fnmatch/fnmatch_loop.c +++ b/libc/misc/fnmatch/fnmatch_loop.c @@ -917,7 +917,6 @@ FCT (const CHAR *pattern, const CHAR *string, const CHAR *string_end, } else if (c == L('[') && *p == L('.')) { - ++p; while (1) { c = *++p;