From ade37d37ffc450b5b2a94bd475f8a1a07edd10b8 Mon Sep 17 00:00:00 2001
From: jilles <jilles@ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f>
Date: Sun, 13 Sep 2015 13:58:46 +0000
Subject: [PATCH] MFC r287148: sh: Fix out of bounds read when there is no ]
 after a [:class:].

The initial check for a matching ] was incorrect if a ] may be consumed by a
[:class:]. The subsequent loop assumed that there must be a ].

Remove the initial check and make the loop cope with a missing ].

Found with afl-fuzz.


git-svn-id: svn://svn.freebsd.org/base/stable/10@287752 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f
---
 bin/sh/expand.c                | 19 +++++++------------
 bin/sh/tests/builtins/Makefile |  1 +
 bin/sh/tests/builtins/case20.0 |  9 +++++++++
 3 files changed, 17 insertions(+), 12 deletions(-)
 create mode 100644 bin/sh/tests/builtins/case20.0

diff --git a/bin/sh/expand.c b/bin/sh/expand.c
index 7c68dca26..84e342da8 100644
--- a/bin/sh/expand.c
+++ b/bin/sh/expand.c
@@ -1468,21 +1468,11 @@ patmatch(const char *pattern, const char *string, int squoted)
 			bt_q = q;
 			break;
 		case '[': {
-			const char *endp;
+			const char *savep, *saveq;
 			int invert, found;
 			wchar_t chr;
 
-			endp = p;
-			if (*endp == '!' || *endp == '^')
-				endp++;
-			do {
-				while (*endp == CTLQUOTEMARK)
-					endp++;
-				if (*endp == 0)
-					goto dft;		/* no matching ] */
-				if (*endp == CTLESC)
-					endp++;
-			} while (*++endp != ']');
+			savep = p, saveq = q;
 			invert = 0;
 			if (*p == '!' || *p == '^') {
 				invert++;
@@ -1501,6 +1491,11 @@ patmatch(const char *pattern, const char *string, int squoted)
 				chr = (unsigned char)*q++;
 			c = *p++;
 			do {
+				if (c == '\0') {
+					p = savep, q = saveq;
+					c = '[';
+					goto dft;
+				}
 				if (c == CTLQUOTEMARK)
 					continue;
 				if (c == '[' && *p == ':') {
diff --git a/bin/sh/tests/builtins/Makefile b/bin/sh/tests/builtins/Makefile
index 2c90cbda6..ec4cab630 100644
--- a/bin/sh/tests/builtins/Makefile
+++ b/bin/sh/tests/builtins/Makefile
@@ -34,6 +34,7 @@ FILES+=		case16.0
 FILES+=		case17.0
 FILES+=		case18.0
 FILES+=		case19.0
+FILES+=		case20.0
 FILES+=		cd1.0
 FILES+=		cd2.0
 FILES+=		cd3.0
diff --git a/bin/sh/tests/builtins/case20.0 b/bin/sh/tests/builtins/case20.0
new file mode 100644
index 000000000..03a4eb2c9
--- /dev/null
+++ b/bin/sh/tests/builtins/case20.0
@@ -0,0 +1,9 @@
+# $FreeBSD$
+
+# Shells do not agree about what this pattern should match, but it is
+# certain that it must not crash and the missing close bracket must not
+# be simply ignored.
+
+case B in
+[[:alpha:]) echo bad ;;
+esac
-- 
2.42.0