>From a1900754312ab463291188026c60b82fb2176712 Mon Sep 17 00:00:00 2001 From: Paul Eggert Date: Wed, 18 Oct 2017 10:19:35 -0700 Subject: [PATCH] glob: pacify fuzzer for mempcpy MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Problem reported by Tim Rühsen in: https://lists.gnu.org/archive/html/bug-gnulib/2017-10/msg00054.html * lib/glob.c (glob): Do not pass NULL to mempcpy. --- ChangeLog | 7 +++++++ lib/glob.c | 7 +++++-- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 5e0c3c7f2..b280a7753 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +2017-10-18 Paul Eggert + + glob: pacify fuzzer for mempcpy + Problem reported by Tim Rühsen in: + https://lists.gnu.org/archive/html/bug-gnulib/2017-10/msg00054.html + * lib/glob.c (glob): Do not pass NULL to mempcpy. + 2017-10-12 Bruno Haible doc: Fix syntax error (regression from 2017-10-03). diff --git a/lib/glob.c b/lib/glob.c index 9d677d982..33030ec72 100644 --- a/lib/glob.c +++ b/lib/glob.c @@ -800,6 +800,7 @@ glob (const char *pattern, int flags, int (*errfunc) (const char *, int), { size_t home_len = strlen (p->pw_dir); size_t rest_len = end_name == NULL ? 0 : strlen (end_name); + char *d; if (__glibc_unlikely (malloc_dirname)) free (dirname); @@ -819,8 +820,10 @@ glob (const char *pattern, int flags, int (*errfunc) (const char *, int), } malloc_dirname = 1; } - *((char *) mempcpy (mempcpy (dirname, p->pw_dir, home_len), - end_name, rest_len)) = '\0'; + d = mempcpy (dirname, p->pw_dir, home_len); + if (end_name != NULL) + d = mempcpy (d, end_name, rest_len); + *d = '\0'; dirlen = home_len + rest_len; dirname_modified = 1; -- 2.13.6