diff options
| author | Daniel Stenberg <daniel@haxx.se> | 2018-01-13 21:52:15 +0100 |
|---|---|---|
| committer | Daniel Stenberg <daniel@haxx.se> | 2018-01-17 10:41:38 +0100 |
| commit | cb5accab9ee3abdee777b59b463b5e0ca05a490a (patch) | |
| tree | 7ccac75f5e82e7975d3afc449f6b331cc88e0584 /lib/curl_fnmatch.c | |
| parent | 25c40c9af97782c9d475e765d50eaac071fd7d91 (diff) | |
| download | curl-cb5accab9ee3abdee777b59b463b5e0ca05a490a.tar.gz | |
ftp-wildcard: fix matching an empty string with "*[^a]"
.... and avoid advancing the pointer to trigger an out of buffer read.
Detected by OSS-fuzz
Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5251
Assisted-by: Max Dymond
Diffstat (limited to 'lib/curl_fnmatch.c')
| -rw-r--r-- | lib/curl_fnmatch.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/lib/curl_fnmatch.c b/lib/curl_fnmatch.c index 8a1e106c4..5638e167a 100644 --- a/lib/curl_fnmatch.c +++ b/lib/curl_fnmatch.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al. + * Copyright (C) 1998 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -376,7 +376,9 @@ static int loop(const unsigned char *pattern, const unsigned char *string) if(found) { p = pp + 1; - s++; + if(*s) + /* don't advance if we're matching on an empty string */ + s++; memset(charset, 0, CURLFNM_CHSET_SIZE); } else |