From cb5accab9ee3abdee777b59b463b5e0ca05a490a Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Sat, 13 Jan 2018 21:52:15 +0100
Subject: ftp-wildcard: fix matching an empty string with "*[^a]"

.... and avoid advancing the pointer to trigger an out of buffer read.

Detected by OSS-fuzz
Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5251
Assisted-by: Max Dymond
---
 lib/curl_fnmatch.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

(limited to 'lib/curl_fnmatch.c')

diff --git a/lib/curl_fnmatch.c b/lib/curl_fnmatch.c
index 8a1e106c4..5638e167a 100644
--- a/lib/curl_fnmatch.c
+++ b/lib/curl_fnmatch.c
@@ -5,7 +5,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -376,7 +376,9 @@ static int loop(const unsigned char *pattern, const unsigned char *string)
 
           if(found) {
             p = pp + 1;
-            s++;
+            if(*s)
+              /* don't advance if we're matching on an empty string */
+              s++;
             memset(charset, 0, CURLFNM_CHSET_SIZE);
           }
           else
-- 
cgit v1.2.1