diff options
author | Ulrich Drepper <drepper@gmail.com> | 2011-03-18 05:29:20 -0400 |
---|---|---|
committer | Petr Baudis <pasky@suse.cz> | 2011-05-27 00:19:52 +0200 |
commit | fa9f66a6f09f3b7234cc24ca3266259a589c3470 (patch) | |
tree | dad81567fb143da890d23b08d86b9cc6652fe2f7 | |
parent | efdc6bb89a814bacc9601d725565eceb1c3160bc (diff) | |
download | glibc-fa9f66a6f09f3b7234cc24ca3266259a589c3470.tar.gz |
Check size of pattern in wide character representation in fnmatch.
(cherry picked from commit 8126d90480fa3e0c5c5cd0d02cb1c93174b45485)
-rw-r--r-- | ChangeLog | 7 | ||||
-rw-r--r-- | posix/fnmatch.c | 13 |
2 files changed, 19 insertions, 1 deletions
@@ -1,3 +1,10 @@ +2011-03-18 Ulrich Drepper <drepper@gmail.com> + + [BZ #12583] + * posix/fnmatch.c (fnmatch): Check size of pattern in wide + character representation. + Partly based on a patch by Tomas Hoger <thoger@redhat.com>. + 2011-03-16 Ryan S. Arnold <rsa@us.ibm.com> * sysdeps/powerpc/powerpc32/power6/fpu/s_isnanf.S (isnanf): Fix diff --git a/posix/fnmatch.c b/posix/fnmatch.c index 0af5ee6b1e..819a6a76f6 100644 --- a/posix/fnmatch.c +++ b/posix/fnmatch.c @@ -1,4 +1,4 @@ -/* Copyright (C) 1991,1992,1993,1996,1997,1998,1999,2000,2001,2002,2003,2007,2010 +/* Copyright (C) 1991,1992,1993,1996,1997,1998,1999,2000,2001,2002,2003,2007,2010,2011 Free Software Foundation, Inc. This file is part of the GNU C Library. @@ -375,6 +375,11 @@ fnmatch (pattern, string, flags) XXX Do we have to set `errno' to something which mbsrtows hasn't already done? */ return -1; + if (__builtin_expect (n >= (size_t) -1 / sizeof (wchar_t), 0)) + { + __set_errno (ENOMEM); + return -2; + } wpattern_malloc = wpattern = (wchar_t *) malloc ((n + 1) * sizeof (wchar_t)); assert (mbsinit (&ps)); @@ -419,6 +424,12 @@ fnmatch (pattern, string, flags) XXX Do we have to set `errno' to something which mbsrtows hasn't already done? */ goto free_return; + if (__builtin_expect (n >= (size_t) -1 / sizeof (wchar_t), 0)) + { + free (wpattern_malloc); + __set_errno (ENOMEM); + return -2; + } wstring_malloc = wstring = (wchar_t *) malloc ((n + 1) * sizeof (wchar_t)); |