Discussion:
[PATCH] glob: fix another heap buffer overflow
(too old to reply)
Paul Eggert
2017-10-21 19:42:54 UTC
Permalink
Raw Message
Problem reported by Tim Rühsen in:
https://sourceware.org/bugzilla/show_bug.cgi?id=22332
* lib/glob.c (glob): Avoid buffer overrun when unescaping.
---
ChangeLog | 7 +++++++
lib/glob.c | 4 ++--
2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index ed34aa80f..23b8c0e8e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2017-10-21 Paul Eggert <***@cs.ucla.edu>
+
+ glob: fix another heap buffer overflow
+ Problem reported by Tim Rühsen in:
+ https://sourceware.org/bugzilla/show_bug.cgi?id=22332
+ * lib/glob.c (glob): Avoid buffer overrun when unescaping.
+
2017-10-19 Paul Eggert <***@cs.ucla.edu>

quotearg: pacify compiler re unsigned
diff --git a/lib/glob.c b/lib/glob.c
index 67530431e..511be12dd 100644
--- a/lib/glob.c
+++ b/lib/glob.c
@@ -744,11 +744,11 @@ glob (const char *pattern, int flags, int (*errfunc) (const char *, int),
char *p = mempcpy (newp, dirname + 1,
unescape - dirname - 1);
char *q = unescape;
- while (*q != '\0')
+ while (q != end_name)
{
if (*q == '\\')
{
- if (q[1] == '\0')
+ if (q + 1 == end_name)
{
/* "~fo\\o\\" unescape to user_name "foo\\",
but "~fo\\o\\/" unescape to user_name
--
2.13.6
Loading...