Fix BZ 18036 buffer overflow (read past end of buffer) in internal_fnmatch

author: Paul Pluzhnikov <ppluzhnikov@google.com> 2015-03-02 13:34:22 -0800
committer: Paul Pluzhnikov <ppluzhnikov@google.com> 2015-03-02 13:34:22 -0800
commit: c2c6d39fab901c97c18fa3a3a3658d9dc3f7df61 (patch)
tree: 43cf2e4e4f302d8bf0a841d8e06ab510b4e4aea7 /posix/fnmatch_loop.c
parent: e8b6be0016f131c2ac72bf3213eabdb59800e63b (diff)
download: glibc-c2c6d39fab901c97c18fa3a3a3658d9dc3f7df61.zip
glibc-c2c6d39fab901c97c18fa3a3a3658d9dc3f7df61.tar.gz
glibc-c2c6d39fab901c97c18fa3a3a3658d9dc3f7df61.tar.bz2
1 files changed, 6 insertions, 1 deletions
diff --git a/posix/fnmatch_loop.c b/posix/fnmatch_loop.c
index 72c5d8f..f46c9df 100644
--- a/posix/fnmatch_loop.c
+++ b/posix/fnmatch_loop.c
@@ -1036,7 +1036,12 @@ END (const CHAR *pattern)
       }
     else if ((*p == L('?') || *p == L('*') || *p == L('+') || *p == L('@')
 	      || *p == L('!')) && p[1] == L('('))
-      p = END (p + 1);
+      {
+	p = END (p + 1);
+	if (*p == L('\0'))
+	  /* This is an invalid pattern.  */
+	  return pattern;
+      }
     else if (*p == L(')'))
       break;
author	Paul Pluzhnikov <ppluzhnikov@google.com>	2015-03-02 13:34:22 -0800
committer	Paul Pluzhnikov <ppluzhnikov@google.com>	2015-03-02 13:34:22 -0800
commit	c2c6d39fab901c97c18fa3a3a3658d9dc3f7df61 (patch)
tree	43cf2e4e4f302d8bf0a841d8e06ab510b4e4aea7 /posix/fnmatch_loop.c
parent	e8b6be0016f131c2ac72bf3213eabdb59800e63b (diff)
download	glibc-c2c6d39fab901c97c18fa3a3a3658d9dc3f7df61.zip glibc-c2c6d39fab901c97c18fa3a3a3658d9dc3f7df61.tar.gz glibc-c2c6d39fab901c97c18fa3a3a3658d9dc3f7df61.tar.bz2