Don't read past end of pattern in fnmatch (BZ17062)

2 files changed, 8 insertions, 10 deletions

diff --git a/README.google b/README.google
index 6677ba18da..bdaaacb983 100644
--- a/README.google
+++ b/README.google
@@ -620,3 +620,8 @@ nss/nss_files/files-XXX.c
   For b/26276654, don't ignore too long lines in nss_files (BZ17079, CVE-2015-5277)
   https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=3fd498242948b1fa944c56646ec9b156387dd310
   (stanshebs, backport)
+
+posix/fnmatch_loop.c
+  Don't read past end of pattern in fnmatch (BZ17062)
+  https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=b3a9f56ba59c3d8eadd3135a1c25c37a63151450
+  (stanshebs, backport)
diff --git a/posix/fnmatch_loop.c b/posix/fnmatch_loop.c
index ce404c4c61..18add2d8ef 100644
--- a/posix/fnmatch_loop.c
+++ b/posix/fnmatch_loop.c
@@ -899,11 +899,8 @@ FCT (pattern, string, string_end, no_leading_period, flags, ends, alloca_used)
 
 	  matched:
 	    /* Skip the rest of the [...] that already matched.  */
-	    do
+	    while ((c = *p++) != L (']'))
 	      {
-	      ignore_next:
-		c = *p++;
-
 		if (c == L('\0'))
 		  /* [... (unterminated) loses.  */
 		  return FNM_NOMATCH;
@@ -931,12 +928,11 @@ FCT (pattern, string, string_end, no_leading_period, flags, ends, alloca_used)
 
 			if (c < L('a') || c >= L('z'))
 			  {
-			    p = startp;
-			    goto ignore_next;
+			    p = startp - 2;
+			    break;
 			  }
 		      }
 		    p += 2;
-		    c = *p++;
 		  }
 		else if (c == L('[') && *p == L('='))
 		  {
@@ -947,7 +943,6 @@ FCT (pattern, string, string_end, no_leading_period, flags, ends, alloca_used)
 		    if (c != L('=') || p[1] != L(']'))
 		      return FNM_NOMATCH;
 		    p += 2;
-		    c = *p++;
 		  }
 		else if (c == L('[') && *p == L('.'))
 		  {
@@ -961,10 +956,8 @@ FCT (pattern, string, string_end, no_leading_period, flags, ends, alloca_used)
 			  break;
 		      }
 		    p += 2;
-		    c = *p++;
 		  }
 	      }
-	    while (c != L(']'));
 	    if (not)
 	      return FNM_NOMATCH;
 	  }