From bfd61a8043511696de226e647951d09deaa95689 Mon Sep 17 00:00:00 2001 From: Marcus Haehnel Date: Thu, 9 Nov 2023 14:18:46 +0100 Subject: fnmatch: fix possible access beyond of parameter string In certain cases, fnmatch() could access the next byte beyond the end of he passed pattern. A triggering pattern to match is the following invocation: fnmatch("[A-Z[.", "F", 0) The normal A-Z group match gets us to fnmatch_loop.c:421 and then to fnmatch_loop:599. The F in the filaname matches this expression and we end up in fnmatch_loop:867 which handles skipping the rest of a bracked expression that already matched. Here we enter the case where the next chars to parse are a collating symbol starting with "[." (fnmatch_loop:918). Currently the p pointer is then advanced by one, moving it beyond the "." and to the \0 byte of the pattern string (fnmatch_loop:920). Inside the while loop the pointer is then incremented again and immediately dereferenced, reaching beyond the end of the pattern string. The increment before the while loop must be removed, because only inside the while loop (after the other increment) a check for the end of the string is performend. This is sufficient and the check of the end of the collating symbol is only performed if p[1] is at most the terminating \0 byte. Signed-Off-By: Frank Mehnert --- libc/misc/fnmatch/fnmatch_loop.c | 1 - 1 file changed, 1 deletion(-) (limited to 'libc') diff --git a/libc/misc/fnmatch/fnmatch_loop.c b/libc/misc/fnmatch/fnmatch_loop.c index 32ee079a3..025510de6 100644 --- a/libc/misc/fnmatch/fnmatch_loop.c +++ b/libc/misc/fnmatch/fnmatch_loop.c @@ -917,7 +917,6 @@ FCT (const CHAR *pattern, const CHAR *string, const CHAR *string_end, } else if (c == L('[') && *p == L('.')) { - ++p; while (1) { c = *++p; -- cgit v1.2.3