This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
[PATCH] glob: Fix one-byte overflow [BZ #22320]
- From: Florian Weimer <fweimer at redhat dot com>
- To: GNU C Library <libc-alpha at sourceware dot org>
- Date: Fri, 20 Oct 2017 13:23:11 +0200
- Subject: [PATCH] glob: Fix one-byte overflow [BZ #22320]
- Authentication-results: sourceware.org; auth=none
- Authentication-results: ext-mx08.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com
- Authentication-results: ext-mx08.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=fweimer at redhat dot com
- Dmarc-filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 45859C059741
I plan to commit this once we have the CVE ID from MITRE.
Thanks,
Florian
2017-10-20 Paul Eggert <eggert@cs.ucla.edu>
[BZ #22320]
* posix/glob.c (__glob): Fix one-byte overflow.
diff --git a/NEWS b/NEWS
index ad680db874..2b6a022b32 100644
--- a/NEWS
+++ b/NEWS
@@ -72,6 +72,10 @@ Security related changes:
vulnerability; only trusted binaries must be examined using the ldd
script.)
+ The glob function, when invoked with GLOB_TILDE, suffered from a one-byte
+ overflow during ~ operator processing (either on the stack or the heap,
+ depending on the length of the user name).
+
The following bugs are resolved with this release:
[The release manager will add the list generated by
diff --git a/posix/glob.c b/posix/glob.c
index 076ab2bd72..15a6c0cf13 100644
--- a/posix/glob.c
+++ b/posix/glob.c
@@ -790,7 +790,7 @@ __glob (const char *pattern, int flags, int (*errfunc) (const char *, int),
*p = '\0';
}
else
- *((char *) mempcpy (newp, dirname + 1, end_name - dirname))
+ *((char *) mempcpy (newp, dirname + 1, end_name - dirname - 1))
= '\0';
user_name = newp;
}