olga / rpms / glibc

Forked from rpms/glibc 5 years ago
Clone
ce426f
commit c2c6d39fab901c97c18fa3a3a3658d9dc3f7df61
ce426f
Author: Paul Pluzhnikov <ppluzhnikov@google.com>
ce426f
Date:   Mon Mar 2 13:34:22 2015 -0800
ce426f
ce426f
    Fix BZ 18036 buffer overflow (read past end of buffer) in internal_fnmatch
ce426f
ce426f
--- glibc-2.17-c758a686/posix/fnmatch_loop.c
ce426f
+++ glibc-2.17-c758a686/posix/fnmatch_loop.c
ce426f
@@ -1036,7 +1036,12 @@ END (const CHAR *pattern)
ce426f
       }
ce426f
     else if ((*p == L('?') || *p == L('*') || *p == L('+') || *p == L('@')
ce426f
 	      || *p == L('!')) && p[1] == L('('))
ce426f
-      p = END (p + 1);
ce426f
+      {
ce426f
+	p = END (p + 1);
ce426f
+	if (*p == L('\0'))
ce426f
+	  /* This is an invalid pattern.  */
ce426f
+	  return pattern;
ce426f
+      }
ce426f
     else if (*p == L(')'))
ce426f
       break;
ce426f
 
ce426f
diff --git glibc-2.17-c758a686/posix/tst-fnmatch3.c glibc-2.17-c758a686/posix/tst-fnmatch3.c
ce426f
index 75bc00a..fdf9934 100644
ce426f
--- glibc-2.17-c758a686/posix/tst-fnmatch3.c
ce426f
+++ glibc-2.17-c758a686/posix/tst-fnmatch3.c
ce426f
@@ -17,6 +17,26 @@
ce426f
    <http://www.gnu.org/licenses/>.  */
ce426f
 
ce426f
 #include <fnmatch.h>
ce426f
+#include <sys/mman.h>
ce426f
+#include <string.h>
ce426f
+#include <unistd.h>
ce426f
+
ce426f
+int
ce426f
+do_bz18036 (void)
ce426f
+{
ce426f
+  const char p[] = "**(!()";
ce426f
+  const int pagesize = getpagesize ();
ce426f
+
ce426f
+  char *pattern = mmap (0, 2 * pagesize, PROT_READ|PROT_WRITE,
ce426f
+                        MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);
ce426f
+  if (pattern == MAP_FAILED) return 1;
ce426f
+
ce426f
+  mprotect (pattern + pagesize, pagesize, PROT_NONE);
ce426f
+  memset (pattern, ' ', pagesize);
ce426f
+  strcpy (pattern, p);
ce426f
+
ce426f
+  return fnmatch (pattern, p, FNM_EXTMATCH);
ce426f
+}
ce426f
 
ce426f
 int
ce426f
 do_test (void)
ce426f
@@ -25,7 +45,7 @@ do_test (void)
ce426f
     return 1;
ce426f
   if (fnmatch ("[a[.\0.]]", "a", 0) != FNM_NOMATCH)
ce426f
     return 1;
ce426f
-  return 0;
ce426f
+  return do_bz18036 ();
ce426f
 }
ce426f
 
ce426f
 #define TEST_FUNCTION do_test ()