This is the mail archive of the
glibc-cvs@sourceware.org
mailing list for the glibc project.
GNU C Library master sources branch master updated. glibc-2.21-145-gc2c6d39
- From: ppluzhnikov at sourceware dot org
- To: glibc-cvs at sourceware dot org
- Date: 2 Mar 2015 21:36:25 -0000
- Subject: GNU C Library master sources branch master updated. glibc-2.21-145-gc2c6d39
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".
The branch, master has been updated
via c2c6d39fab901c97c18fa3a3a3658d9dc3f7df61 (commit)
from e8b6be0016f131c2ac72bf3213eabdb59800e63b (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=c2c6d39fab901c97c18fa3a3a3658d9dc3f7df61
commit c2c6d39fab901c97c18fa3a3a3658d9dc3f7df61
Author: Paul Pluzhnikov <ppluzhnikov@google.com>
Date: Mon Mar 2 13:34:22 2015 -0800
Fix BZ 18036 buffer overflow (read past end of buffer) in internal_fnmatch
diff --git a/ChangeLog b/ChangeLog
index 5226f3d..98fbedb 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2015-03-02 Paul Pluzhnikov <ppluzhnikov@google.com>
+
+ [BZ #18036]
+ * posix/fnmatch_loop.c (END): Detect invalid pattern.
+ * posix/tst-fnmatch3.c (do_bz18036): Add test case.
+
2015-03-02 Andreas Schwab <schwab@suse.de>
* elf/Makefile ($(elf-objpfx)runtime-linker.st): Fix typo in
diff --git a/NEWS b/NEWS
index 1c54ede..8976f11 100644
--- a/NEWS
+++ b/NEWS
@@ -12,8 +12,8 @@ Version 2.22
4719, 14841, 13064, 14094, 15319, 15467, 15790, 15969, 16351, 16560,
16783, 17269, 17523, 17569, 17588, 17711, 17792, 17836, 17912, 17916,
17932, 17944, 17949, 17964, 17965, 17967, 17969, 17978, 17987, 17991,
- 17996, 17998, 17999, 18019, 18020, 18029, 18030, 18032, 18038, 18039,
- 18046, 18047.
+ 17996, 17998, 17999, 18019, 18020, 18029, 18030, 18032, 18036, 18038,
+ 18039, 18046, 18047.
* Character encoding and ctype tables were updated to Unicode 7.0.0, using
new generator scripts contributed by Pravin Satpute and Mike FABIAN (Red
diff --git a/posix/fnmatch_loop.c b/posix/fnmatch_loop.c
index 72c5d8f..f46c9df 100644
--- a/posix/fnmatch_loop.c
+++ b/posix/fnmatch_loop.c
@@ -1036,7 +1036,12 @@ END (const CHAR *pattern)
}
else if ((*p == L('?') || *p == L('*') || *p == L('+') || *p == L('@')
|| *p == L('!')) && p[1] == L('('))
- p = END (p + 1);
+ {
+ p = END (p + 1);
+ if (*p == L('\0'))
+ /* This is an invalid pattern. */
+ return pattern;
+ }
else if (*p == L(')'))
break;
diff --git a/posix/tst-fnmatch3.c b/posix/tst-fnmatch3.c
index 75bc00a..fdf9934 100644
--- a/posix/tst-fnmatch3.c
+++ b/posix/tst-fnmatch3.c
@@ -17,6 +17,26 @@
<http://www.gnu.org/licenses/>. */
#include <fnmatch.h>
+#include <sys/mman.h>
+#include <string.h>
+#include <unistd.h>
+
+int
+do_bz18036 (void)
+{
+ const char p[] = "**(!()";
+ const int pagesize = getpagesize ();
+
+ char *pattern = mmap (0, 2 * pagesize, PROT_READ|PROT_WRITE,
+ MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);
+ if (pattern == MAP_FAILED) return 1;
+
+ mprotect (pattern + pagesize, pagesize, PROT_NONE);
+ memset (pattern, ' ', pagesize);
+ strcpy (pattern, p);
+
+ return fnmatch (pattern, p, FNM_EXTMATCH);
+}
int
do_test (void)
@@ -25,7 +45,7 @@ do_test (void)
return 1;
if (fnmatch ("[a[.\0.]]", "a", 0) != FNM_NOMATCH)
return 1;
- return 0;
+ return do_bz18036 ();
}
#define TEST_FUNCTION do_test ()
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 6 ++++++
NEWS | 4 ++--
posix/fnmatch_loop.c | 7 ++++++-
posix/tst-fnmatch3.c | 22 +++++++++++++++++++++-
4 files changed, 35 insertions(+), 4 deletions(-)
hooks/post-receive
--
GNU C Library master sources