[uclibc-ng-devel] Possible read-beyond string parameter in fnmatch()

Frank Mehnert Wed, 25 Oct 2023 07:23:08 -0700

Hi all,

in certain cases,


  fnmatch(pattern, string, flags)

reads beyond the end of pattern. This can be triggered by parameters
like this:

  fnmatch(""[A-Z[.", "F", 0);

The corresponding code can be found here:

  
https://cgit.uclibc-ng.org/cgi/cgit/uclibc-ng.git/tree/libc/misc/fnmatch/fnmatch_loop.c#n920

After line 920 is executed, p points to '\0' (the end of the pattern).

Then, in line 923, p is unconditionally increased again and the value
_after_ the end of the pattern is read (to find out if the pattern has
ended).

Suggested fix: Just remove line 920.

Kind regards,

Frank
-- 
Dr.-Ing. Frank Mehnert, frank.mehn...@kernkonzept.com, +49-351-41 883 224

Kernkonzept GmbH.  Sitz: Dresden.  Amtsgericht Dresden, HRB 31129.
Geschäftsführer: Dr.-Ing. Michael Hohmuth


_______________________________________________
devel mailing list -- devel@uclibc-ng.org
To unsubscribe send an email to devel-le...@uclibc-ng.org

[uclibc-ng-devel] Possible read-beyond string parameter in fnmatch()

Reply via email to