1 From 0acc0c7c120afa6d60bfc7932c04361720b6e74d Mon Sep 17 00:00:00 2001
2 From: Daniel Stenberg <daniel@haxx.se>
3 Date: Fri, 10 Nov 2017 08:52:45 +0100
4 Subject: [PATCH] wildcardmatch: fix heap buffer overflow in setcharset
6 The code would previous read beyond the end of the pattern string if the
7 match pattern ends with an open bracket when the default pattern
8 matching function is used.
11 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4161
15 Bug: https://curl.haxx.se/docs/adv_2017-ae72.html
17 lib/curl_fnmatch.c | 9 +++------
18 tests/data/Makefile.inc | 2 +-
19 tests/data/test1163 | 52 +++++++++++++++++++++++++++++++++++++++++++++++++
20 3 files changed, 56 insertions(+), 7 deletions(-)
21 create mode 100644 tests/data/test1163
23 --- a/lib/curl_fnmatch.c
24 +++ b/lib/curl_fnmatch.c
25 @@ -133,6 +133,9 @@ static int setcharset(unsigned char **p,
30 + return SETCHARSET_FAIL;
33 case CURLFNM_SCHS_DEFAULT:
34 if(ISALNUM(c)) { /* ASCII value */
35 @@ -197,9 +200,6 @@ static int setcharset(unsigned char **p,
37 return SETCHARSET_FAIL;
39 - else if(c == '\0') {
40 - return SETCHARSET_FAIL;
45 @@ -278,9 +278,6 @@ static int setcharset(unsigned char **p,
49 - else if(c == '\0') {
50 - return SETCHARSET_FAIL;
55 --- a/tests/data/Makefile.inc
56 +++ b/tests/data/Makefile.inc
57 @@ -121,6 +121,7 @@ test1120 test1121 test1122 test1123 test
58 test1128 test1129 test1130 test1131 test1132 test1133 test1134 test1135 \
59 test1136 test1137 test1138 test1139 test1140 test1141 test1142 test1143 \
62 test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \
63 test1208 test1209 test1210 test1211 test1212 test1213 test1214 test1215 \
64 test1216 test1217 test1218 test1219 \
66 +++ b/tests/data/test1163
96 +FTP wildcard with pattern ending with an open-bracket
99 +"ftp://%HOSTIP:%FTPPORT/fully_simulated/DOS/*[]["
105 +PASS ftp@example.com
114 +# 78 == CURLE_REMOTE_FILE_NOT_FOUND