summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorUlrich Drepper <drepper@gmail.com>2011-03-18 05:29:20 -0400
committerPetr Baudis <pasky@suse.cz>2011-05-27 00:19:52 +0200
commitfa9f66a6f09f3b7234cc24ca3266259a589c3470 (patch)
treedad81567fb143da890d23b08d86b9cc6652fe2f7
parentefdc6bb89a814bacc9601d725565eceb1c3160bc (diff)
downloadglibc-fa9f66a6f09f3b7234cc24ca3266259a589c3470.tar.gz
Check size of pattern in wide character representation in fnmatch.
(cherry picked from commit 8126d90480fa3e0c5c5cd0d02cb1c93174b45485)
-rw-r--r--ChangeLog7
-rw-r--r--posix/fnmatch.c13
2 files changed, 19 insertions, 1 deletions
diff --git a/ChangeLog b/ChangeLog
index a174446135..a29a823482 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2011-03-18 Ulrich Drepper <drepper@gmail.com>
+
+ [BZ #12583]
+ * posix/fnmatch.c (fnmatch): Check size of pattern in wide
+ character representation.
+ Partly based on a patch by Tomas Hoger <thoger@redhat.com>.
+
2011-03-16 Ryan S. Arnold <rsa@us.ibm.com>
* sysdeps/powerpc/powerpc32/power6/fpu/s_isnanf.S (isnanf): Fix
diff --git a/posix/fnmatch.c b/posix/fnmatch.c
index 0af5ee6b1e..819a6a76f6 100644
--- a/posix/fnmatch.c
+++ b/posix/fnmatch.c
@@ -1,4 +1,4 @@
-/* Copyright (C) 1991,1992,1993,1996,1997,1998,1999,2000,2001,2002,2003,2007,2010
+/* Copyright (C) 1991,1992,1993,1996,1997,1998,1999,2000,2001,2002,2003,2007,2010,2011
Free Software Foundation, Inc.
This file is part of the GNU C Library.
@@ -375,6 +375,11 @@ fnmatch (pattern, string, flags)
XXX Do we have to set `errno' to something which mbsrtows hasn't
already done? */
return -1;
+ if (__builtin_expect (n >= (size_t) -1 / sizeof (wchar_t), 0))
+ {
+ __set_errno (ENOMEM);
+ return -2;
+ }
wpattern_malloc = wpattern
= (wchar_t *) malloc ((n + 1) * sizeof (wchar_t));
assert (mbsinit (&ps));
@@ -419,6 +424,12 @@ fnmatch (pattern, string, flags)
XXX Do we have to set `errno' to something which mbsrtows hasn't
already done? */
goto free_return;
+ if (__builtin_expect (n >= (size_t) -1 / sizeof (wchar_t), 0))
+ {
+ free (wpattern_malloc);
+ __set_errno (ENOMEM);
+ return -2;
+ }
wstring_malloc = wstring
= (wchar_t *) malloc ((n + 1) * sizeof (wchar_t));