In certain cases, fnmatch() could access the next byte beyond the end of
he passed pattern. A triggering pattern to match is the following
invocation:
fnmatch("[A-Z[.", "F", 0)
The normal A-Z group match gets us to fnmatch_loop.c:421 and then to
fnmatch_loop:599. The F in the filaname matches this expression and
we end up in fnmatch_loop:867 which handles skipping the rest of a
bracked expression that already matched. Here we enter the case where
the next chars to parse are a collating symbol starting with "[."
(fnmatch_loop:918). Currently the p pointer is then advanced by one,
moving it beyond the "." and to the \0 byte of the pattern string
(fnmatch_loop:920). Inside the while loop the pointer is then
incremented again and immediately dereferenced, reaching beyond the
end of the pattern string.
The increment before the while loop must be removed, because only inside
the while loop (after the other increment) a check for the end of the
string is performend. This is sufficient and the check of the end of
the collating symbol is only performed if p[1] is at most the
terminating \0 byte.
Signed-Off-By: Frank Mehnert <frank.mehnert(a)kernkonzept.com>
---
libc/misc/fnmatch/fnmatch_loop.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/libc/misc/fnmatch/fnmatch_loop.c b/libc/misc/fnmatch/fnmatch_loop.c
index 32ee079a3..025510de6 100644
--- a/libc/misc/fnmatch/fnmatch_loop.c
+++ b/libc/misc/fnmatch/fnmatch_loop.c
@@ -917,7 +917,6 @@ FCT (const CHAR *pattern, const CHAR *string, const CHAR *string_end,
}
else if (c == L('[') && *p == L('.'))
{
- ++p;
while (1)
{
c = *++p;
--
2.42.0
Show replies by date