On Fri, Jul 31, 2015 at 11:18:15AM -0700, enh wrote: > automated fuzzing caught this: > > #include <fnmatch.h> > #include <string.h> > int main() { > char *str = strdup("*[\\$:*[:lower:]"); > fnmatch(str, str, 0x27); > }
This is the output of Valgrind as of today: ==7819== Memcheck, a memory error detector ==7819== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al. ==7819== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info ==7819== Command: ./fnmatch ==7819== ==7819== Invalid read of size 1 ==7819== at 0x54438F2: fnmatch_ch (fnmatch.c:201) ==7819== by 0x5443FCB: fnmatch (fnmatch.c:417) ==7819== by 0x108C4D: main (fnmatch.c:5) ==7819== Address 0x58f8050 is 0 bytes after a block of size 16 alloc'd ==7819== at 0x501B224: malloc (in /usr/local/lib/valgrind/vgpreload_memcheck-amd64-openbsd.so) ==7819== by 0x54A7D28: strdup (strdup.c:45) ==7819== by 0x108C37: main (fnmatch.c:4) ==7819== ==7819== Invalid read of size 1 ==7819== at 0x54439A0: fnmatch_ch (fnmatch.c:238) ==7819== by 0x5443FCB: fnmatch (fnmatch.c:417) ==7819== by 0x108C4D: main (fnmatch.c:5) ==7819== Address 0x58f8050 is 0 bytes after a block of size 16 alloc'd ==7819== at 0x501B224: malloc (in /usr/local/lib/valgrind/vgpreload_memcheck-amd64-openbsd.so) ==7819== by 0x54A7D28: strdup (strdup.c:45) ==7819== by 0x108C37: main (fnmatch.c:4) ==7819== ==7819== Invalid read of size 1 ==7819== at 0x54438F2: fnmatch_ch (fnmatch.c:201) ==7819== by 0x5443E68: fnmatch (fnmatch.c:443) ==7819== by 0x108C4D: main (fnmatch.c:5) ==7819== Address 0x58f8050 is 0 bytes after a block of size 16 alloc'd ==7819== at 0x501B224: malloc (in /usr/local/lib/valgrind/vgpreload_memcheck-amd64-openbsd.so) ==7819== by 0x54A7D28: strdup (strdup.c:45) ==7819== by 0x108C37: main (fnmatch.c:4) ==7819== ==7819== Invalid read of size 1 ==7819== at 0x54439A0: fnmatch_ch (fnmatch.c:238) ==7819== by 0x5443E68: fnmatch (fnmatch.c:443) ==7819== by 0x108C4D: main (fnmatch.c:5) ==7819== Address 0x58f8050 is 0 bytes after a block of size 16 alloc'd ==7819== at 0x501B224: malloc (in /usr/local/lib/valgrind/vgpreload_memcheck-amd64-openbsd.so) ==7819== by 0x54A7D28: strdup (strdup.c:45) ==7819== by 0x108C37: main (fnmatch.c:4) ==7819== ==7819== ==7819== FILE DESCRIPTORS: 3 open at exit. ==7819== Open file descriptor 2: ==7819== <inherited from parent> ==7819== ==7819== Open file descriptor 1: ==7819== <inherited from parent> ==7819== ==7819== Open file descriptor 0: ==7819== <inherited from parent> ==7819== ==7819== ==7819== HEAP SUMMARY: ==7819== in use at exit: 16 bytes in 1 blocks ==7819== total heap usage: 1 allocs, 0 frees, 16 bytes allocated ==7819== ==7819== LEAK SUMMARY: ==7819== definitely lost: 16 bytes in 1 blocks ==7819== indirectly lost: 0 bytes in 0 blocks ==7819== possibly lost: 0 bytes in 0 blocks ==7819== still reachable: 0 bytes in 0 blocks ==7819== suppressed: 0 bytes in 0 blocks ==7819== Rerun with --leak-check=full to see details of leaked memory ==7819== ==7819== For counts of detected and suppressed errors, rerun with: -v ==7819== ERROR SUMMARY: 6 errors from 4 contexts (suppressed: 0 from 0)