diff options
| author |   Paul Eggert <eggert@cs.ucla.edu> | 2017-10-22 10:00:57 +0200 |
|---|---|---|
| committer |   Florian Weimer <fweimer@redhat.com> | 2017-10-22 10:01:24 +0200 |
| commit | a159b53fa059947cc2548e3b0d5bdcf7b9630ba8 (patch) | |
| tree | ec926a3f2199246bc1ef2c9361afac4a39d7ed21 /posix | |
| parent | Update NEWS and ChangeLog for CVE-2017-15671 (diff) | |
| download | glibc-a159b53fa059947cc2548e3b0d5bdcf7b9630ba8.tar.gz glibc-a159b53fa059947cc2548e3b0d5bdcf7b9630ba8.tar.bz2 glibc-a159b53fa059947cc2548e3b0d5bdcf7b9630ba8.zip | |
glob: Fix buffer overflow during GLOB_TILDE unescaping [BZ #22332]
Diffstat (limited to 'posix')
| -rw-r--r-- | posix/glob.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/posix/glob.c b/posix/glob.c index 15a6c0cf13..cb39779d07 100644 --- a/posix/glob.c +++ b/posix/glob.c @@ -770,11 +770,11 @@ __glob (const char *pattern, int flags, int (*errfunc) (const char *, int), char *p = mempcpy (newp, dirname + 1, unescape - dirname - 1); char *q = unescape; - while (*q != '\0') + while (q != end_name) { if (*q == '\\') { - if (q[1] == '\0') + if (q + 1 == end_name) { /* "~fo\\o\\" unescape to user_name "foo\\", but "~fo\\o\\/" unescape to user_name |