Unverified Commit 0b664ba9 authored by Daniel Stenberg's avatar Daniel Stenberg
Browse files

wildcardmatch: fix heap buffer overflow in setcharset 

The code would previous read beyond the end of the pattern string if the
match pattern ends with an open bracket when the default pattern
matching function is used.

Detected by OSS-Fuzz:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4161

CVE-2017-8817

Bug: https://curl.haxx.se/docs/adv_2017-ae72.html
parent 9b5e12a5

lib/curl_fnmatch.c

+3 −6
Original line number Diff line number Diff line
@@ -133,6 +133,9 @@ static int setcharset(unsigned char **p, unsigned char *charset) 
  unsigned char c;

  for(;;) {

    c = **p;

    if(!c)

      return SETCHARSET_FAIL;



    switch(state) {

    case CURLFNM_SCHS_DEFAULT:

      if(ISALNUM(c)) { /* ASCII value */
@@ -196,9 +199,6 @@ static int setcharset(unsigned char **p, unsigned char *charset) 
        else

          return SETCHARSET_FAIL;

      }

      else if(c == '\0') {

        return SETCHARSET_FAIL;

      }

      else {

        charset[c] = 1;

        (*p)++;
@@ -274,9 +274,6 @@ static int setcharset(unsigned char **p, unsigned char *charset) 
      else if(c == ']') {

        return SETCHARSET_OK;

      }

      else if(c == '\0') {

        return SETCHARSET_FAIL;

      }

      else if(ISPRINT(c)) {

        charset[c] = 1;

        (*p)++;

tests/data/Makefile.inc

+1 −1
Original line number Diff line number Diff line
@@ -125,7 +125,7 @@ test1136 test1137 test1138 test1139 test1140 test1141 test1142 test1143 \ 
test1144 test1145 test1146 test1147 test1148 test1149 test1150 test1151 \

test1152 test1153 \

\

test1160 test1161 test1162 \

test1160 test1161 test1162 test1163 \

test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \

test1208 test1209 test1210 test1211 test1212 test1213 test1214 test1215 \

test1216 test1217 test1218 test1219 \

tests/data/test1163

0 → 100644
+52 −0
Original line number Diff line number Diff line 
<testcase>

<info>

<keywords>

FTP

RETR

LIST

wildcardmatch

ftplistparser

flaky

</keywords>

</info>



#

# Server-side

<reply>

<data>

</data>

</reply>



# Client-side

<client>

<server>

ftp

</server>

<tool>

lib576

</tool>

<name>

FTP wildcard with pattern ending with an open-bracket

</name>

<command>

"ftp://%HOSTIP:%FTPPORT/fully_simulated/DOS/*[]["

</command>

</client>

<verify>

<protocol>

USER anonymous

PASS ftp@example.com

PWD

CWD fully_simulated

CWD DOS

EPSV

TYPE A

LIST

QUIT

</protocol>

# 78 == CURLE_REMOTE_FILE_NOT_FOUND

<errorcode>

78

</errorcode>

</verify>

</testcase>