diff options
author | Paul Eggert <eggert@cs.ucla.edu> | 2017-10-21 12:20:29 -0700 |
---|---|---|
committer | Paul Eggert <eggert@cs.ucla.edu> | 2017-10-21 12:20:55 -0700 |
commit | 6803dda53781f7da920f568a31610d41e5c3a351 (patch) | |
tree | aa4edda1d4ace5a7fdff5375da4ba7ad7db2a84b | |
parent | 5675bbfd9a894f9efef89ed208eb5b8ef619e390 (diff) | |
download | gnulib-6803dda53781f7da920f568a31610d41e5c3a351.tar.gz |
glob: fix another heap buffer overflow
Problem reported by Tim Rühsen in:
https://sourceware.org/bugzilla/show_bug.cgi?id=22332
* lib/glob.c (glob): Avoid buffer overrun when unescaping.
-rw-r--r-- | ChangeLog | 7 | ||||
-rw-r--r-- | lib/glob.c | 4 |
2 files changed, 9 insertions, 2 deletions
@@ -1,3 +1,10 @@ +2017-10-21 Paul Eggert <eggert@cs.ucla.edu> + + glob: fix another heap buffer overflow + Problem reported by Tim Rühsen in: + https://sourceware.org/bugzilla/show_bug.cgi?id=22332 + * lib/glob.c (glob): Avoid buffer overrun when unescaping. + 2017-10-19 Paul Eggert <eggert@cs.ucla.edu> quotearg: pacify compiler re unsigned diff --git a/lib/glob.c b/lib/glob.c index 67530431e4..511be12dda 100644 --- a/lib/glob.c +++ b/lib/glob.c @@ -744,11 +744,11 @@ glob (const char *pattern, int flags, int (*errfunc) (const char *, int), char *p = mempcpy (newp, dirname + 1, unescape - dirname - 1); char *q = unescape; - while (*q != '\0') + while (q != end_name) { if (*q == '\\') { - if (q[1] == '\0') + if (q + 1 == end_name) { /* "~fo\\o\\" unescape to user_name "foo\\", but "~fo\\o\\/" unescape to user_name |