Fix BZ 18036 buffer overflow (read past end of buffer) in internal_fnmatch=>end_pattern

Message ID	CALoOobOKfc9XKEQMbv9uwXTEaer-t=d1FwfOMv61YAOBUBV3_A@mail.gmail.com
State	New
Headers	show Return-Path: <libc-alpha-return-57390-incoming=patchwork.ozlabs.org@sourceware.org> DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:mime-version:from:date:message-id:subject:to :content-type; q=dns; s=default; b=T+t+gnjN1hCtehOL8ccDeT0W+lRNW gdFilODZyE4fuR6ZzmHGP7F8owwnLk8AJp3IDCBx1myBf0ixj0mawCaQ18CE3VLW to0P9cBQHu/Q2CKrPTAjvHiaUYtEajp4X1nBZdgLJ89I3pkAOrUDuYDrHY80osbO EQ7bKr3ADW2FvM= Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm Precedence: bulk Sender: libc-alpha-owner@sourceware.org MIME-Version: 1.0 From: Paul Pluzhnikov <ppluzhnikov@gmail.com> Date: Fri, 27 Feb 2015 21:25:42 -0800 Message-ID: <CALoOobOKfc9XKEQMbv9uwXTEaer-t=d1FwfOMv61YAOBUBV3_A@mail.gmail.com> Subject: [patch] Fix BZ 18036 buffer overflow (read past end of buffer) in internal_fnmatch=>end_pattern To: GLIBC Devel <libc-alpha@sourceware.org> Content-Type: multipart/mixed; boundary=001a11c336d42c0b8905101f3917

Message ID

CALoOobOKfc9XKEQMbv9uwXTEaer-t=d1FwfOMv61YAOBUBV3_A@mail.gmail.com

State

New

Headers

DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:mime-version:from:date:message-id:subject:to
	:content-type; q=dns; s=default; b=T+t+gnjN1hCtehOL8ccDeT0W+lRNW
	gdFilODZyE4fuR6ZzmHGP7F8owwnLk8AJp3IDCBx1myBf0ixj0mawCaQ18CE3VLW
	to0P9cBQHu/Q2CKrPTAjvHiaUYtEajp4X1nBZdgLJ89I3pkAOrUDuYDrHY80osbO
	EQ7bKr3ADW2FvM=
Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm
Precedence: bulk
Sender: libc-alpha-owner@sourceware.org
MIME-Version: 1.0
From: Paul Pluzhnikov <ppluzhnikov@gmail.com>
Date: Fri, 27 Feb 2015 21:25:42 -0800
Message-ID: <CALoOobOKfc9XKEQMbv9uwXTEaer-t=d1FwfOMv61YAOBUBV3_A@mail.gmail.com>
Subject: [patch] Fix BZ 18036 buffer overflow (read past end of buffer) in
	internal_fnmatch=>end_pattern
To: GLIBC Devel <libc-alpha@sourceware.org>
Content-Type: multipart/mixed; boundary=001a11c336d42c0b8905101f3917

Greetings, 2015-02-27 Paul Pluzhnikov <ppluzhnikov@google.com> [BZ #18036] * posix/fnmatch_loop.c (END): Detect invalid pattern. * posix/tst-fnmatch3.c (do_test): Add test case.

Comments

Florian Weimer March 2, 2015, 1:18 p.m. UTC | #1

On 02/28/2015 06:25 AM, Paul Pluzhnikov wrote:
>      else if ((*p == L('?') || *p == L('*') || *p == L('+') || *p == L('@')
>  	      || *p == L('!')) && p[1] == L('('))
> -      p = END (p + 1);
> +      {
> +	p = END (p + 1);
> +	if (*p == L('\0'))
> +	  /* This is an invalid pattern.  */
> +	  return pattern;
> +      }

Okay to commit if you have checked that the test case actually tests the
bug.  Thanks.

diff --git a/posix/fnmatch_loop.c b/posix/fnmatch_loop.c
index 72c5d8f..f46c9df 100644
--- a/posix/fnmatch_loop.c
+++ b/posix/fnmatch_loop.c
@@ -1036,7 +1036,12 @@  END (const CHAR *pattern)
       }
     else if ((*p == L('?') || *p == L('*') || *p == L('+') || *p == L('@')
 	      || *p == L('!')) && p[1] == L('('))
-      p = END (p + 1);
+      {
+	p = END (p + 1);
+	if (*p == L('\0'))
+	  /* This is an invalid pattern.  */
+	  return pattern;
+      }
     else if (*p == L(')'))
       break;
 
diff --git a/posix/tst-fnmatch3.c b/posix/tst-fnmatch3.c
index 75bc00a..7822a35 100644
--- a/posix/tst-fnmatch3.c
+++ b/posix/tst-fnmatch3.c
@@ -25,6 +25,8 @@  do_test (void)
     return 1;
   if (fnmatch ("[a[.\0.]]", "a", 0) != FNM_NOMATCH)
     return 1;
+  if (fnmatch ("         ", "**(!()", 0) != FNM_NOMATCH)
+    return 1;
   return 0;
 }

Fix BZ 18036 buffer overflow (read past end of buffer) in internal_fnmatch=>end_pattern

Commit Message

Comments

Patch