From fc843f6e48737d3d6690c5cf355d9719274efee1 Mon Sep 17 00:00:00 2001
From: Andreas Schwab <schwab@suse.de>
Date: Thu, 26 Feb 2015 14:55:24 +0100
Subject: Fix read past end of pattern in fnmatch (bug 18032)

(cherry picked from commit 4a28f4d55a6cc33474c0792fe93b5942d81bf185)

Conflicts:
	ChangeLog
	NEWS
---
 ChangeLog            | 6 ++++++
 NEWS                 | 2 +-
 posix/fnmatch_loop.c | 5 ++---
 3 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 815acf08dd..a4f4e0d863 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2015-02-26  Andreas Schwab  <schwab@suse.de>
+
+	[BZ #18032]
+	* posix/fnmatch_loop.c (FCT): Remove extra increment when skipping
+	over collating symbol inside a bracket expression.  Minor cleanup.
+
 2014-06-23  Andreas Schwab  <schwab@suse.de>
 
 	[BZ #17079]
diff --git a/NEWS b/NEWS
index ed33f47750..c017fa3014 100644
--- a/NEWS
+++ b/NEWS
@@ -11,7 +11,7 @@ Version 2.19.1
 
   15946, 16545, 16574, 16623, 16657, 16695, 16743, 16878, 16882, 16885,
   16916, 16932, 16943, 16958, 17048, 17069, 17079, 17137, 17153, 17213,
-  17263, 17325, 17555, 18287.
+  17263, 17325, 17555, 18032, 18287.
 
 * A buffer overflow in gethostbyname_r and related functions performing DNS
   requests has been fixed.  If the NSS functions were called with a
diff --git a/posix/fnmatch_loop.c b/posix/fnmatch_loop.c
index f79d051a3a..f11d0f1a1f 100644
--- a/posix/fnmatch_loop.c
+++ b/posix/fnmatch_loop.c
@@ -951,14 +951,13 @@ FCT (pattern, string, string_end, no_leading_period, flags, ends, alloca_used)
 		  }
 		else if (c == L('[') && *p == L('.'))
 		  {
-		    ++p;
 		    while (1)
 		      {
 			c = *++p;
-			if (c == '\0')
+			if (c == L('\0'))
 			  return FNM_NOMATCH;
 
-			if (*p == L('.') && p[1] == L(']'))
+			if (c == L('.') && p[1] == L(']'))
 			  break;
 		      }
 		    p += 2;
-- 
cgit 1.4.1