summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMarcus Haehnel <marcus.haehnel@kernkonzept.com>2023-11-09 14:18:46 +0100
committerWaldemar Brodkorb <wbx@openadk.org>2023-11-10 16:14:20 +0100
commitbfd61a8043511696de226e647951d09deaa95689 (patch)
treed32a45791de13ed73a3a5ec45edc5458c4c2812a
parent1762b04103e9b2c409649de1857a39867f15718f (diff)
fnmatch: fix possible access beyond of parameter string
In certain cases, fnmatch() could access the next byte beyond the end of he passed pattern. A triggering pattern to match is the following invocation: fnmatch("[A-Z[.", "F", 0) The normal A-Z group match gets us to fnmatch_loop.c:421 and then to fnmatch_loop:599. The F in the filaname matches this expression and we end up in fnmatch_loop:867 which handles skipping the rest of a bracked expression that already matched. Here we enter the case where the next chars to parse are a collating symbol starting with "[." (fnmatch_loop:918). Currently the p pointer is then advanced by one, moving it beyond the "." and to the \0 byte of the pattern string (fnmatch_loop:920). Inside the while loop the pointer is then incremented again and immediately dereferenced, reaching beyond the end of the pattern string. The increment before the while loop must be removed, because only inside the while loop (after the other increment) a check for the end of the string is performend. This is sufficient and the check of the end of the collating symbol is only performed if p[1] is at most the terminating \0 byte. Signed-Off-By: Frank Mehnert <frank.mehnert@kernkonzept.com>
-rw-r--r--libc/misc/fnmatch/fnmatch_loop.c1
1 files changed, 0 insertions, 1 deletions
diff --git a/libc/misc/fnmatch/fnmatch_loop.c b/libc/misc/fnmatch/fnmatch_loop.c
index 32ee079a3..025510de6 100644
--- a/libc/misc/fnmatch/fnmatch_loop.c
+++ b/libc/misc/fnmatch/fnmatch_loop.c
@@ -917,7 +917,6 @@ FCT (const CHAR *pattern, const CHAR *string, const CHAR *string_end,
}
else if (c == L('[') && *p == L('.'))
{
- ++p;
while (1)
{
c = *++p;