bug-gnulib
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH] glob: fix another heap buffer overflow


From: Paul Eggert
Subject: [PATCH] glob: fix another heap buffer overflow
Date: Sat, 21 Oct 2017 12:42:54 -0700

Problem reported by Tim Rühsen in:
https://sourceware.org/bugzilla/show_bug.cgi?id=22332
* lib/glob.c (glob): Avoid buffer overrun when unescaping.
---
 ChangeLog  | 7 +++++++
 lib/glob.c | 4 ++--
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index ed34aa80f..23b8c0e8e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2017-10-21  Paul Eggert  <address@hidden>
+
+       glob: fix another heap buffer overflow
+       Problem reported by Tim Rühsen in:
+       https://sourceware.org/bugzilla/show_bug.cgi?id=22332
+       * lib/glob.c (glob): Avoid buffer overrun when unescaping.
+
 2017-10-19  Paul Eggert  <address@hidden>
 
        quotearg: pacify compiler re unsigned
diff --git a/lib/glob.c b/lib/glob.c
index 67530431e..511be12dd 100644
--- a/lib/glob.c
+++ b/lib/glob.c
@@ -744,11 +744,11 @@ glob (const char *pattern, int flags, int (*errfunc) 
(const char *, int),
                   char *p = mempcpy (newp, dirname + 1,
                                      unescape - dirname - 1);
                   char *q = unescape;
-                  while (*q != '\0')
+                  while (q != end_name)
                     {
                       if (*q == '\\')
                         {
-                          if (q[1] == '\0')
+                          if (q + 1 == end_name)
                             {
                               /* "~fo\\o\\" unescape to user_name "foo\\",
                                  but "~fo\\o\\/" unescape to user_name
-- 
2.13.6




reply via email to

[Prev in Thread] Current Thread [Next in Thread]