From 0b664ba968437715819bfe4c7ada5679d16ebbc3 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Fri, 10 Nov 2017 08:52:45 +0100
Subject: wildcardmatch: fix heap buffer overflow in setcharset

The code would previous read beyond the end of the pattern string if the
match pattern ends with an open bracket when the default pattern
matching function is used.

Detected by OSS-Fuzz:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4161

CVE-2017-8817

Bug: https://curl.haxx.se/docs/adv_2017-ae72.html
---
 lib/curl_fnmatch.c | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

(limited to 'lib/curl_fnmatch.c')

diff --git a/lib/curl_fnmatch.c b/lib/curl_fnmatch.c
index da83393b4..8a1e106c4 100644
--- a/lib/curl_fnmatch.c
+++ b/lib/curl_fnmatch.c
@@ -133,6 +133,9 @@ static int setcharset(unsigned char **p, unsigned char *charset)
   unsigned char c;
   for(;;) {
     c = **p;
+    if(!c)
+      return SETCHARSET_FAIL;
+
     switch(state) {
     case CURLFNM_SCHS_DEFAULT:
       if(ISALNUM(c)) { /* ASCII value */
@@ -196,9 +199,6 @@ static int setcharset(unsigned char **p, unsigned char *charset)
         else
           return SETCHARSET_FAIL;
       }
-      else if(c == '\0') {
-        return SETCHARSET_FAIL;
-      }
       else {
         charset[c] = 1;
         (*p)++;
@@ -274,9 +274,6 @@ static int setcharset(unsigned char **p, unsigned char *charset)
       else if(c == ']') {
         return SETCHARSET_OK;
       }
-      else if(c == '\0') {
-        return SETCHARSET_FAIL;
-      }
       else if(ISPRINT(c)) {
         charset[c] = 1;
         (*p)++;
-- 
cgit v1.2.3