From 3fc33bce96075b4e69baf95f047ace81bfe86df5 Mon Sep 17 00:00:00 2001
From: Paul Eggert <address@hidden>
Date: Thu, 19 Oct 2017 12:39:45 -0700
Subject: [PATCH] glob: fix heap buffer overflow
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* lib/glob.c (glob): Fix off-by-one error introduced into
glibc in commit dd7d45e838a42b0ed470c44b55901ea98d0c2bab
dated 1997-10-29 20:33:40.  Problem reported by Tim Rühsen in:
https://sourceware.org/bugzilla/show_bug.cgi?id=22320
Fix suggested by Bruno Haible.
---
 ChangeLog  | 9 +++++++++
 lib/glob.c | 2 +-
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index b280a7753..e662c02a5 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,12 @@
+2017-10-19  Paul Eggert  <address@hidden>
+
+	glob: fix heap buffer overflow
+	* lib/glob.c (glob): Fix off-by-one error introduced into
+	glibc in commit dd7d45e838a42b0ed470c44b55901ea98d0c2bab
+	dated 1997-10-29 20:33:40.  Problem reported by Tim Rühsen in:
+	https://sourceware.org/bugzilla/show_bug.cgi?id=22320
+	Fix suggested by Bruno Haible.
+
 2017-10-18  Paul Eggert  <address@hidden>
 
 	glob: pacify fuzzer for mempcpy
diff --git a/lib/glob.c b/lib/glob.c
index 33030ec72..67530431e 100644
--- a/lib/glob.c
+++ b/lib/glob.c
@@ -764,7 +764,7 @@ glob (const char *pattern, int flags, int (*errfunc) (const char *, int),
                   *p = '\0';
                 }
               else
-                *((char *) mempcpy (newp, dirname + 1, end_name - dirname))
+                *((char *) mempcpy (newp, dirname + 1, end_name - dirname - 1))
                   = '\0';
               user_name = newp;
             }
-- 
2.13.6