This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug libc/18032] buffer overflow (read past end of buffer) in internal_fnmatch
- From: "fweimer at redhat dot com" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Thu, 26 Feb 2015 13:58:09 +0000
- Subject: [Bug libc/18032] buffer overflow (read past end of buffer) in internal_fnmatch
- Auto-submitted: auto-generated
- References: <bug-18032-131 at http dot sourceware dot org/bugzilla/>
https://sourceware.org/bugzilla/show_bug.cgi?id=18032
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |fweimer at redhat dot com
Flags| |security+
--- Comment #1 from Florian Weimer <fweimer at redhat dot com> ---
Self-contained test case below. We skip over the terminating NUL character:
946 else if (c == L('[') && *p == L('.'))
947 {
948 ++p;
949 while (1)
950 {
951 c = *++p;
952 if (c == '\0')
953 return FNM_NOMATCH;
954
955 if (*p == L('.') && p[1] == L(']'))
956 break;
957 }
958 p += 2;
959 }
May initial hunch is that line 948 (â++p;â) should be dropped.
I'm flagging this security+ because it's not far-fetched that this could cause
application crashes.
#include <fnmatch.h>
#include <string.h>
#include <sys/mman.h>
#include <unistd.h>
#include <stdio.h>
int
main (int argc, char **argv)
{
long page_size = sysconf (_SC_PAGESIZE);
if (page_size < 0)
{
printf ("sysconf (_SC_PAGESIZE) failed: %m\n");
return 1;
}
char *page = mmap (NULL, 2 * page_size, PROT_READ | PROT_WRITE,
MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
if (page == MAP_FAILED)
{
printf ("mmap failed: %m\n");
return 1;
}
if (mprotect (page + page_size, page_size, PROT_NONE))
{
printf ("mprotect failed: %m\n");
return 1;
}
memset (page, ' ', page_size);
strcpy (page, "[,[.");
fnmatch (page, ",\\[,[.", 0);
}
--
You are receiving this mail because:
You are on the CC list for the bug.