On Fri, Jul 31, 2015 at 11:18:15AM -0700, enh wrote:
> automated fuzzing caught this:
>
> #include
> #include
> int main() {
> char *str = strdup("*[\\$:*[:lower:]");
> fnmatch(str, str, 0x27);
> }
This is the output of Valgrind as of today:
==7819== Memcheck, a memory error detector
==781
On Fri, 31 Jul 2015 21:16:51 +0200, Stefan Sperling wrote:
> That's much cleaner and I can confirm it fixes the issue.
> Can we move the break on the next line? Apart from that, ok with me.
Sure. I also verified the fix with valgrind.
- todd
Index: lib/libc/gen/fnmatch.c
=
On Fri, Jul 31, 2015 at 12:58:47PM -0600, Todd C. Miller wrote:
> The problem is that classmatch() can change pattern so we need to
> check to see if it was consumed afterwards.
>
> - todd
>
> Index: lib/libc/gen/fnmatch.c
> ===
> R
On Fri, Jul 31, 2015 at 11:18:15AM -0700, enh wrote:
> automated fuzzing caught this:
>
> #include
> #include
> int main() {
> char *str = strdup("*[\\$:*[:lower:]");
> fnmatch(str, str, 0x27);
> }
>
> ==14566==ERROR: AddressSanitizer: heap-buffer-overflow on address
> 0x6020f000 at pc
The problem is that classmatch() can change pattern so we need to
check to see if it was consumed afterwards.
- todd
Index: lib/libc/gen/fnmatch.c
===
RCS file: /cvs/src/lib/libc/gen/fnmatch.c,v
retrieving revision 1.18
diff -u -p -
