From 090eccf092cfa83e558b6ac8dd7479ab14d018d2 Mon Sep 17 00:00:00 2001 From: Xavier Del Campo Romero Date: Sun, 9 Jul 2023 05:13:30 +0200 Subject: wildcard_cmp.c: Fix out-of-bounds cmp When the distance between '*' on a wildcard expression was larger than the string to compare with, this would cause an out-of-bounds read because `n` was not being limited to the strlen(3) from the input string. Example: - s="c", p="*cc*", casecmp=false Here, the distance between the first and second '*' is 2 bytes, which is longer than the input string itself (1 byte, not counting the terminating null byte '\0'). --- wildcard_cmp.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/wildcard_cmp.c b/wildcard_cmp.c index dd19d6c..fe0b3e1 100644 --- a/wildcard_cmp.c +++ b/wildcard_cmp.c @@ -30,7 +30,8 @@ int wildcard_cmp(const char *s, const char *p, const bool casecmp) return r; } - const size_t n = wc - p; + const size_t auxn = wc - p, rem = strlen(s), + n = auxn > rem ? rem : auxn; if (n) { -- cgit v1.2.3