|
|
12745e |
commit c2c6d39fab901c97c18fa3a3a3658d9dc3f7df61
|
|
|
12745e |
Author: Paul Pluzhnikov <ppluzhnikov@google.com>
|
|
|
12745e |
Date: Mon Mar 2 13:34:22 2015 -0800
|
|
|
12745e |
|
|
|
12745e |
Fix BZ 18036 buffer overflow (read past end of buffer) in internal_fnmatch
|
|
|
12745e |
|
|
|
12745e |
--- glibc-2.17-c758a686/posix/fnmatch_loop.c
|
|
|
12745e |
+++ glibc-2.17-c758a686/posix/fnmatch_loop.c
|
|
|
12745e |
@@ -1036,7 +1036,12 @@ END (const CHAR *pattern)
|
|
|
12745e |
}
|
|
|
12745e |
else if ((*p == L('?') || *p == L('*') || *p == L('+') || *p == L('@')
|
|
|
12745e |
|| *p == L('!')) && p[1] == L('('))
|
|
|
12745e |
- p = END (p + 1);
|
|
|
12745e |
+ {
|
|
|
12745e |
+ p = END (p + 1);
|
|
|
12745e |
+ if (*p == L('\0'))
|
|
|
12745e |
+ /* This is an invalid pattern. */
|
|
|
12745e |
+ return pattern;
|
|
|
12745e |
+ }
|
|
|
12745e |
else if (*p == L(')'))
|
|
|
12745e |
break;
|
|
|
12745e |
|
|
|
12745e |
diff --git glibc-2.17-c758a686/posix/tst-fnmatch3.c glibc-2.17-c758a686/posix/tst-fnmatch3.c
|
|
|
12745e |
index 75bc00a..fdf9934 100644
|
|
|
12745e |
--- glibc-2.17-c758a686/posix/tst-fnmatch3.c
|
|
|
12745e |
+++ glibc-2.17-c758a686/posix/tst-fnmatch3.c
|
|
|
12745e |
@@ -17,6 +17,26 @@
|
|
|
12745e |
<http://www.gnu.org/licenses/>. */
|
|
|
12745e |
|
|
|
12745e |
#include <fnmatch.h>
|
|
|
12745e |
+#include <sys/mman.h>
|
|
|
12745e |
+#include <string.h>
|
|
|
12745e |
+#include <unistd.h>
|
|
|
12745e |
+
|
|
|
12745e |
+int
|
|
|
12745e |
+do_bz18036 (void)
|
|
|
12745e |
+{
|
|
|
12745e |
+ const char p[] = "**(!()";
|
|
|
12745e |
+ const int pagesize = getpagesize ();
|
|
|
12745e |
+
|
|
|
12745e |
+ char *pattern = mmap (0, 2 * pagesize, PROT_READ|PROT_WRITE,
|
|
|
12745e |
+ MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);
|
|
|
12745e |
+ if (pattern == MAP_FAILED) return 1;
|
|
|
12745e |
+
|
|
|
12745e |
+ mprotect (pattern + pagesize, pagesize, PROT_NONE);
|
|
|
12745e |
+ memset (pattern, ' ', pagesize);
|
|
|
12745e |
+ strcpy (pattern, p);
|
|
|
12745e |
+
|
|
|
12745e |
+ return fnmatch (pattern, p, FNM_EXTMATCH);
|
|
|
12745e |
+}
|
|
|
12745e |
|
|
|
12745e |
int
|
|
|
12745e |
do_test (void)
|
|
|
12745e |
@@ -25,7 +45,7 @@ do_test (void)
|
|
|
12745e |
return 1;
|
|
|
12745e |
if (fnmatch ("[a[.\0.]]", "a", 0) != FNM_NOMATCH)
|
|
|
12745e |
return 1;
|
|
|
12745e |
- return 0;
|
|
|
12745e |
+ return do_bz18036 ();
|
|
|
12745e |
}
|
|
|
12745e |
|
|
|
12745e |
#define TEST_FUNCTION do_test ()
|