glibc/glibc-2.24-CVE-2017-15804.patch

From 94825c8924b80518214ad9e3ca1f6589f209592c Mon Sep 17 00:00:00 2001
From: Paul Eggert <eggert@cs.ucla.edu>
Date: Sun, 22 Oct 2017 10:00:57 +0200
Subject: [PATCH] glob: Fix buffer overflow during GLOB_TILDE unescaping [BZ
 #22332]

(cherry picked from commit a159b53fa059947cc2548e3b0d5bdcf7b9630ba8)
---
 ChangeLog    | 6 ++++++
 NEWS         | 4 ++++
 posix/glob.c | 4 ++--
 3 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/posix/glob.c b/posix/glob.c
index 026bc06..f3fa807 100644
--- a/posix/glob.c
+++ b/posix/glob.c
@@ -863,11 +863,11 @@ glob (const char *pattern, int flags, int (*errfunc) (const char *, int),
 		  char *p = mempcpy (newp, dirname + 1,
 				     unescape - dirname - 1);
 		  char *q = unescape;
-		  while (*q != '\0')
+		  while (q != end_name)
 		    {
 		      if (*q == '\\')
 			{
-			  if (q[1] == '\0')
+			  if (q + 1 == end_name)
 			    {
 			      /* "~fo\\o\\" unescape to user_name "foo\\",
 				 but "~fo\\o\\/" unescape to user_name
-- 
2.9.3
Backport upstream patches to fix CVE-2017-15670 and CVE-2017-15804 2018-11-11 02:24:02 +10:00			`From 94825c8924b80518214ad9e3ca1f6589f209592c Mon Sep 17 00:00:00 2001`
			`From: Paul Eggert <eggert@cs.ucla.edu>`
			`Date: Sun, 22 Oct 2017 10:00:57 +0200`
			`Subject: [PATCH] glob: Fix buffer overflow during GLOB_TILDE unescaping [BZ`
			`#22332]`

			`(cherry picked from commit a159b53fa059947cc2548e3b0d5bdcf7b9630ba8)`
			`---`
			`ChangeLog \| 6 ++++++`
			`NEWS \| 4 ++++`
			`posix/glob.c \| 4 ++--`
			`3 files changed, 12 insertions(+), 2 deletions(-)`

			`diff --git a/posix/glob.c b/posix/glob.c`
			`index 026bc06..f3fa807 100644`
			`--- a/posix/glob.c`
			`+++ b/posix/glob.c`
			`@@ -863,11 +863,11 @@ glob (const char pattern, int flags, int (errfunc) (const char *, int),`
			`char *p = mempcpy (newp, dirname + 1,`
			`unescape - dirname - 1);`
			`char *q = unescape;`
			`- while (*q != '\0')`
			`+ while (q != end_name)`
			`{`
			`if (*q == '\\')`
			`{`
			`- if (q[1] == '\0')`
			`+ if (q + 1 == end_name)`
			`{`
			`/* "~fo\\o\\" unescape to user_name "foo\\",`
			`but "~fo\\o\\/" unescape to user_name`
			`--`
			`2.9.3`