diff options
author | Ulrich Drepper <drepper@gmail.com> | 2011-03-18 05:29:20 -0400 |
---|---|---|
committer | Ulrich Drepper <drepper@gmail.com> | 2011-03-18 05:29:20 -0400 |
commit | 8126d90480fa3e0c5c5cd0d02cb1c93174b45485 (patch) | |
tree | 17baf35a59c26913857060b82c7ce3110d16b53e | |
parent | ccfe366e6fc64bb81183480bd2ae113041d3c84c (diff) | |
download | glibc-8126d90480fa3e0c5c5cd0d02cb1c93174b45485.zip glibc-8126d90480fa3e0c5c5cd0d02cb1c93174b45485.tar.gz glibc-8126d90480fa3e0c5c5cd0d02cb1c93174b45485.tar.bz2 |
Check size of pattern in wide character representation in fnmatch.
-rw-r--r-- | ChangeLog | 6 | ||||
-rw-r--r-- | posix/fnmatch.c | 13 |
2 files changed, 18 insertions, 1 deletions
@@ -1,3 +1,9 @@ +2011-03-18 Ulrich Drepper <drepper@gmail.com> + + * posix/fnmatch.c (fnmatch): Check size of pattern in wide + character representation. + Partly based on a patch by Tomas Hoger <thoger@redhat.com>. + 2011-03-16 Ryan S. Arnold <rsa@us.ibm.com> * sysdeps/powerpc/powerpc32/power6/fpu/s_isnanf.S (isnanf): Fix diff --git a/posix/fnmatch.c b/posix/fnmatch.c index 0af5ee6..819a6a7 100644 --- a/posix/fnmatch.c +++ b/posix/fnmatch.c @@ -1,4 +1,4 @@ -/* Copyright (C) 1991,1992,1993,1996,1997,1998,1999,2000,2001,2002,2003,2007,2010 +/* Copyright (C) 1991,1992,1993,1996,1997,1998,1999,2000,2001,2002,2003,2007,2010,2011 Free Software Foundation, Inc. This file is part of the GNU C Library. @@ -375,6 +375,11 @@ fnmatch (pattern, string, flags) XXX Do we have to set `errno' to something which mbsrtows hasn't already done? */ return -1; + if (__builtin_expect (n >= (size_t) -1 / sizeof (wchar_t), 0)) + { + __set_errno (ENOMEM); + return -2; + } wpattern_malloc = wpattern = (wchar_t *) malloc ((n + 1) * sizeof (wchar_t)); assert (mbsinit (&ps)); @@ -419,6 +424,12 @@ fnmatch (pattern, string, flags) XXX Do we have to set `errno' to something which mbsrtows hasn't already done? */ goto free_return; + if (__builtin_expect (n >= (size_t) -1 / sizeof (wchar_t), 0)) + { + free (wpattern_malloc); + __set_errno (ENOMEM); + return -2; + } wstring_malloc = wstring = (wchar_t *) malloc ((n + 1) * sizeof (wchar_t)); |