wildcardmatch: fix heap buffer overflow in setcharset

The code would previous read beyond the end of the pattern string if the match pattern ends with an open bracket when the default pattern matching function is used. Detected by OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4161 CVE-2017-8817 Bug: https://curl.haxx.se/docs/adv_2017-ae72.html
author: Daniel Stenberg <daniel@haxx.se> 2017-11-10 08:52:45 +0100
committer: Daniel Stenberg <daniel@haxx.se> 2017-11-27 08:19:34 +0100
commit: 0b664ba968437715819bfe4c7ada5679d16ebbc3 (patch)
tree: dc93d3b1c104f43a54b703bb69a71621c658cff8 /lib/curl_fnmatch.c
parent: 9b5e12a5491d2e6b68e0c88ca56f3a9ef9fba400 (diff)
1 files changed, 3 insertions, 6 deletions
diff --git a/lib/curl_fnmatch.c b/lib/curl_fnmatch.c
index da83393b4..8a1e106c4 100644
--- a/lib/curl_fnmatch.c
+++ b/lib/curl_fnmatch.c
@@ -133,6 +133,9 @@ static int setcharset(unsigned char **p, unsigned char *charset)
   unsigned char c;
   for(;;) {
     c = **p;
+    if(!c)
+      return SETCHARSET_FAIL;
+
     switch(state) {
     case CURLFNM_SCHS_DEFAULT:
       if(ISALNUM(c)) { /* ASCII value */
@@ -196,9 +199,6 @@ static int setcharset(unsigned char **p, unsigned char *charset)
         else
           return SETCHARSET_FAIL;
       }
-      else if(c == '\0') {
-        return SETCHARSET_FAIL;
-      }
       else {
         charset[c] = 1;
         (*p)++;
@@ -274,9 +274,6 @@ static int setcharset(unsigned char **p, unsigned char *charset)
       else if(c == ']') {
         return SETCHARSET_OK;
       }
-      else if(c == '\0') {
-        return SETCHARSET_FAIL;
-      }
       else if(ISPRINT(c)) {
         charset[c] = 1;
         (*p)++;
author	Daniel Stenberg <daniel@haxx.se>	2017-11-10 08:52:45 +0100
committer	Daniel Stenberg <daniel@haxx.se>	2017-11-27 08:19:34 +0100
commit	0b664ba968437715819bfe4c7ada5679d16ebbc3 (patch)
tree	dc93d3b1c104f43a54b703bb69a71621c658cff8 /lib/curl_fnmatch.c
parent	9b5e12a5491d2e6b68e0c88ca56f3a9ef9fba400 (diff)