diff options
| author | jilles <jilles@FreeBSD.org> | 2015-09-13 13:58:46 +0000 |
|---|---|---|
| committer | jilles <jilles@FreeBSD.org> | 2015-09-13 13:58:46 +0000 |
| commit | 4c6f14a861a3f125cf0a54644a95aaa138e549db (patch) | |
| tree | fd23eeaf39e5fc47af49dbefaf2a9ee7712c07ed /bin | |
| parent | 4918e13c30a266fdc74a5df487939a8cea9745fb (diff) | |
| download | FreeBSD-src-4c6f14a861a3f125cf0a54644a95aaa138e549db.zip FreeBSD-src-4c6f14a861a3f125cf0a54644a95aaa138e549db.tar.gz | |
MFC r287148: sh: Fix out of bounds read when there is no ] after a [:class:].
The initial check for a matching ] was incorrect if a ] may be consumed by a
[:class:]. The subsequent loop assumed that there must be a ].
Remove the initial check and make the loop cope with a missing ].
Found with afl-fuzz.
Diffstat (limited to 'bin')
| -rw-r--r-- | bin/sh/expand.c | 19 | ||||
| -rw-r--r-- | bin/sh/tests/builtins/Makefile | 1 | ||||
| -rw-r--r-- | bin/sh/tests/builtins/case20.0 | 9 |
3 files changed, 17 insertions, 12 deletions
diff --git a/bin/sh/expand.c b/bin/sh/expand.c index 7c68dca..84e342d 100644 --- a/bin/sh/expand.c +++ b/bin/sh/expand.c @@ -1468,21 +1468,11 @@ patmatch(const char *pattern, const char *string, int squoted) bt_q = q; break; case '[': { - const char *endp; + const char *savep, *saveq; int invert, found; wchar_t chr; - endp = p; - if (*endp == '!' || *endp == '^') - endp++; - do { - while (*endp == CTLQUOTEMARK) - endp++; - if (*endp == 0) - goto dft; /* no matching ] */ - if (*endp == CTLESC) - endp++; - } while (*++endp != ']'); + savep = p, saveq = q; invert = 0; if (*p == '!' || *p == '^') { invert++; @@ -1501,6 +1491,11 @@ patmatch(const char *pattern, const char *string, int squoted) chr = (unsigned char)*q++; c = *p++; do { + if (c == '\0') { + p = savep, q = saveq; + c = '['; + goto dft; + } if (c == CTLQUOTEMARK) continue; if (c == '[' && *p == ':') { diff --git a/bin/sh/tests/builtins/Makefile b/bin/sh/tests/builtins/Makefile index 2c90cbd..ec4cab6 100644 --- a/bin/sh/tests/builtins/Makefile +++ b/bin/sh/tests/builtins/Makefile @@ -34,6 +34,7 @@ FILES+= case16.0 FILES+= case17.0 FILES+= case18.0 FILES+= case19.0 +FILES+= case20.0 FILES+= cd1.0 FILES+= cd2.0 FILES+= cd3.0 diff --git a/bin/sh/tests/builtins/case20.0 b/bin/sh/tests/builtins/case20.0 new file mode 100644 index 0000000..03a4eb2 --- /dev/null +++ b/bin/sh/tests/builtins/case20.0 @@ -0,0 +1,9 @@ +# $FreeBSD$ + +# Shells do not agree about what this pattern should match, but it is +# certain that it must not crash and the missing close bracket must not +# be simply ignored. + +case B in +[[:alpha:]) echo bad ;; +esac |
