ftp-wildcard: fix matching an empty string with "*[^a]"

.... and avoid advancing the pointer to trigger an out of buffer read.

Detected by OSS-fuzz
Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5251
Assisted-by: Max Dymond

diff --git a/lib/curl_fnmatch.c b/lib/curl_fnmatch.c
index 8a1e106c456582de2cc483f281039a7444c9a131..5638e167a12029164c95573652133ff3ed7121e0 100644 (file)
--- a/lib/curl_fnmatch.c
+++ b/lib/curl_fnmatch.c
@@ -5,7 +5,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -376,7 +376,9 @@ static int loop(const unsigned char *pattern, const unsigned char *string)
 
           if(found) {
             p = pp + 1;
-            s++;
+            if(*s)
+              /* don't advance if we're matching on an empty string */
+              s++;
             memset(charset, 0, CURLFNM_CHSET_SIZE);
           }
           else

diff --git a/tests/unit/unit1307.c b/tests/unit/unit1307.c
index 5764622745443e4d7319e0310f989ddb2ce95fd8..c5ec587a5225e8dc33de876625f5227131df342a 100644 (file)
--- a/tests/unit/unit1307.c
+++ b/tests/unit/unit1307.c
@@ -5,7 +5,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -27,12 +27,9 @@
 #define NOMATCH CURL_FNMATCH_NOMATCH
 #define RE_ERR  CURL_FNMATCH_FAIL
 
-#define MAX_PATTERN_L 100
-#define MAX_STRING_L  100
-
 struct testcase {
-  char pattern[MAX_PATTERN_L];
-  char string[MAX_STRING_L];
+  const char *pattern;
+  const char *string;
   int  result;
 };
 
@@ -100,6 +97,8 @@ static const struct testcase tests[] = {
   { "*[^a].t?t",                "a.txt",                  NOMATCH },
   { "*[^a].t?t",                "ba.txt",                 NOMATCH },
   { "*[^a].t?t",                "ab.txt",                 MATCH },
+  { "*[^a]",                    "",                       MATCH },
+  { "[!ÿ]",                     "",                       MATCH },
   { "[!?*[]",                   "?",                      NOMATCH },
   { "[!!]",                     "!",                      NOMATCH },
   { "[!!]",                     "x",                      MATCH },
@@ -119,17 +118,17 @@ static const struct testcase tests[] = {
   { "[[:lower:]]",              "l",                      MATCH },
   { "[[:lower:]]",              "L",                      NOMATCH },
   { "[[:print:]]",              "L",                      MATCH },
-  { "[[:print:]]",              {'\10'},                  NOMATCH },
-  { "[[:print:]]",              {'\10'},                  NOMATCH },
+  { "[[:print:]]",              "\10",                    NOMATCH },
+  { "[[:print:]]",              "\10",                    NOMATCH },
   { "[[:space:]]",              " ",                      MATCH },
   { "[[:space:]]",              "x",                      NOMATCH },
   { "[[:graph:]]",              " ",                      NOMATCH },
   { "[[:graph:]]",              "x",                      MATCH },
-  { "[[:blank:]]",              {'\t'},                   MATCH },
-  { "[[:blank:]]",              {' '},                    MATCH },
-  { "[[:blank:]]",              {'\r'},                   NOMATCH },
-  { "[^[:blank:]]",             {'\t'},                   NOMATCH },
-  { "[^[:print:]]",             {'\10'},                  MATCH },
+  { "[[:blank:]]",              "\t",                     MATCH },
+  { "[[:blank:]]",              " ",                      MATCH },
+  { "[[:blank:]]",              "\r",                     NOMATCH },
+  { "[^[:blank:]]",             "\t",                     NOMATCH },
+  { "[^[:print:]]",             "\10",                    MATCH },
   { "[[:lower:]][[:lower:]]",   "ll",                     MATCH },
 
   { "Curl[[:blank:]];-)",       "Curl ;-)",               MATCH },