1 From 0acc0c7c120afa6d60bfc7932c04361720b6e74d Mon Sep 17 00:00:00 2001
2 From: Daniel Stenberg <daniel@haxx.se>
3 Date: Fri, 10 Nov 2017 08:52:45 +0100
4 Subject: [PATCH] wildcardmatch: fix heap buffer overflow in setcharset
6 The code would previous read beyond the end of the pattern string if the
7 match pattern ends with an open bracket when the default pattern
8 matching function is used.
11 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4161
15 Bug: https://curl.haxx.se/docs/adv_2017-ae72.html
17 lib/curl_fnmatch.c | 9 +++------
18 tests/data/Makefile.inc | 2 +-
19 tests/data/test1163 | 52 +++++++++++++++++++++++++++++++++++++++++++++++++
20 3 files changed, 56 insertions(+), 7 deletions(-)
21 create mode 100644 tests/data/test1163
23 diff --git a/lib/curl_fnmatch.c b/lib/curl_fnmatch.c
24 index da83393b4..8a1e106c4 100644
25 --- a/lib/curl_fnmatch.c
26 +++ b/lib/curl_fnmatch.c
27 @@ -131,10 +131,13 @@ static int setcharset(unsigned char **p, unsigned char *charset)
28 unsigned char lastchar = 0;
29 bool something_found = FALSE;
34 + return SETCHARSET_FAIL;
37 case CURLFNM_SCHS_DEFAULT:
38 if(ISALNUM(c)) { /* ASCII value */
41 @@ -195,13 +198,10 @@ static int setcharset(unsigned char **p, unsigned char *charset)
45 return SETCHARSET_FAIL;
47 - else if(c == '\0') {
48 - return SETCHARSET_FAIL;
53 something_found = TRUE;
55 @@ -276,13 +276,10 @@ static int setcharset(unsigned char **p, unsigned char *charset)
61 - else if(c == '\0') {
62 - return SETCHARSET_FAIL;
67 state = CURLFNM_SCHS_DEFAULT;
69 diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
70 index dc1cc03bc..6eb37d81d 100644
71 --- a/tests/data/Makefile.inc.1 2017-11-29 20:00:26.126452486 +0000
72 +++ b/tests/data/Makefile.inc 2017-11-29 20:01:13.057783732 +0000
74 test1128 test1129 test1130 test1131 test1132 test1133 test1134 test1135 \
75 test1136 test1137 test1138 test1139 test1140 test1141 test1142 test1143 \
78 test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \
79 test1208 test1209 test1210 test1211 test1212 test1213 test1214 test1215 \
80 test1216 test1217 test1218 test1219 \
81 diff --git a/tests/data/test1163 b/tests/data/test1163
83 index 000000000..a109b511b
85 +++ b/tests/data/test1163
115 +FTP wildcard with pattern ending with an open-bracket
118 +"ftp://%HOSTIP:%FTPPORT/fully_simulated/DOS/*[]["
124 +PASS ftp@example.com
133 +# 78 == CURLE_REMOTE_FILE_NOT_FOUND