svn commit: r287752 - in stable/10/bin/sh: . tests/builtins

[Jilles Tjoelker]

Author: jilles
Date: Sun Sep 13 13:58:46 2015
New Revision: 287752
URL: https://svnweb.freebsd.org/changeset/base/287752

Log:
  MFC r287148: sh: Fix out of bounds read when there is no ] after a [:class:].
  
  The initial check for a matching ] was incorrect if a ] may be consumed by a
  [:class:]. The subsequent loop assumed that there must be a ].
  
  Remove the initial check and make the loop cope with a missing ].
  
  Found with afl-fuzz.

Added:
  stable/10/bin/sh/tests/builtins/case20.0
     - copied unchanged from r287148, head/bin/sh/tests/builtins/case20.0
Modified:
  stable/10/bin/sh/expand.c
  stable/10/bin/sh/tests/builtins/Makefile
Directory Properties:
  stable/10/   (props changed)

Modified: stable/10/bin/sh/expand.c
==============================================================================
--- stable/10/bin/sh/expand.c	Sun Sep 13 13:52:54 2015	(r287751)
+++ stable/10/bin/sh/expand.c	Sun Sep 13 13:58:46 2015	(r287752)
@@ -1468,21 +1468,11 @@ patmatch(const char *pattern, const char
 			bt_q = q;
 			break;
 		case '[': {
-			const char *endp;
+			const char *savep, *saveq;
 			int invert, found;
 			wchar_t chr;
 
-			endp = p;
-			if (*endp == '!' || *endp == '^')
-				endp++;
-			do {
-				while (*endp == CTLQUOTEMARK)
-					endp++;
-				if (*endp == 0)
-					goto dft;		/* no matching ] */
-				if (*endp == CTLESC)
-					endp++;
-			} while (*++endp != ']');
+			savep = p, saveq = q;
 			invert = 0;
 			if (*p == '!' || *p == '^') {
 				invert++;
@@ -1501,6 +1491,11 @@ patmatch(const char *pattern, const char
 				chr = (unsigned char)*q++;
 			c = *p++;
 			do {
+				if (c == '\0') {
+					p = savep, q = saveq;
+					c = '[';
+					goto dft;
+				}
 				if (c == CTLQUOTEMARK)
 					continue;
 				if (c == '[' && *p == ':') {

Modified: stable/10/bin/sh/tests/builtins/Makefile
==============================================================================
--- stable/10/bin/sh/tests/builtins/Makefile	Sun Sep 13 13:52:54 2015	(r287751)
+++ stable/10/bin/sh/tests/builtins/Makefile	Sun Sep 13 13:58:46 2015	(r287752)
@@ -34,6 +34,7 @@ FILES+=		case16.0
 FILES+=		case17.0
 FILES+=		case18.0
 FILES+=		case19.0
+FILES+=		case20.0
 FILES+=		cd1.0
 FILES+=		cd2.0
 FILES+=		cd3.0

Copied: stable/10/bin/sh/tests/builtins/case20.0 (from r287148, head/bin/sh/tests/builtins/case20.0)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ stable/10/bin/sh/tests/builtins/case20.0	Sun Sep 13 13:58:46 2015	(r287752, copy of r287148, head/bin/sh/tests/builtins/case20.0)
@@ -0,0 +1,9 @@
+# $FreeBSD$
+
+# Shells do not agree about what this pattern should match, but it is
+# certain that it must not crash and the missing close bracket must not
+# be simply ignored.
+
+case B in
+[[:alpha:]) echo bad ;;
+esac