On Fri, Jul 31, 2015 at 11:18:15AM -0700, enh wrote:
> automated fuzzing caught this:
>
> #include <fnmatch.h>
> #include <string.h>
> int main() {
> char *str = strdup("*[\\$:*[:lower:]");
> fnmatch(str, str, 0x27);
> }
This is the output of Valgrind as of today:
==7819== Memcheck, a memory error detector
==7819== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==7819== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info
==7819== Command: ./fnmatch
==7819==
==7819== Invalid read of size 1
==7819== at 0x54438F2: fnmatch_ch (fnmatch.c:201)
==7819== by 0x5443FCB: fnmatch (fnmatch.c:417)
==7819== by 0x108C4D: main (fnmatch.c:5)
==7819== Address 0x58f8050 is 0 bytes after a block of size 16 alloc'd
==7819== at 0x501B224: malloc (in
/usr/local/lib/valgrind/vgpreload_memcheck-amd64-openbsd.so)
==7819== by 0x54A7D28: strdup (strdup.c:45)
==7819== by 0x108C37: main (fnmatch.c:4)
==7819==
==7819== Invalid read of size 1
==7819== at 0x54439A0: fnmatch_ch (fnmatch.c:238)
==7819== by 0x5443FCB: fnmatch (fnmatch.c:417)
==7819== by 0x108C4D: main (fnmatch.c:5)
==7819== Address 0x58f8050 is 0 bytes after a block of size 16 alloc'd
==7819== at 0x501B224: malloc (in
/usr/local/lib/valgrind/vgpreload_memcheck-amd64-openbsd.so)
==7819== by 0x54A7D28: strdup (strdup.c:45)
==7819== by 0x108C37: main (fnmatch.c:4)
==7819==
==7819== Invalid read of size 1
==7819== at 0x54438F2: fnmatch_ch (fnmatch.c:201)
==7819== by 0x5443E68: fnmatch (fnmatch.c:443)
==7819== by 0x108C4D: main (fnmatch.c:5)
==7819== Address 0x58f8050 is 0 bytes after a block of size 16 alloc'd
==7819== at 0x501B224: malloc (in
/usr/local/lib/valgrind/vgpreload_memcheck-amd64-openbsd.so)
==7819== by 0x54A7D28: strdup (strdup.c:45)
==7819== by 0x108C37: main (fnmatch.c:4)
==7819==
==7819== Invalid read of size 1
==7819== at 0x54439A0: fnmatch_ch (fnmatch.c:238)
==7819== by 0x5443E68: fnmatch (fnmatch.c:443)
==7819== by 0x108C4D: main (fnmatch.c:5)
==7819== Address 0x58f8050 is 0 bytes after a block of size 16 alloc'd
==7819== at 0x501B224: malloc (in
/usr/local/lib/valgrind/vgpreload_memcheck-amd64-openbsd.so)
==7819== by 0x54A7D28: strdup (strdup.c:45)
==7819== by 0x108C37: main (fnmatch.c:4)
==7819==
==7819==
==7819== FILE DESCRIPTORS: 3 open at exit.
==7819== Open file descriptor 2:
==7819== <inherited from parent>
==7819==
==7819== Open file descriptor 1:
==7819== <inherited from parent>
==7819==
==7819== Open file descriptor 0:
==7819== <inherited from parent>
==7819==
==7819==
==7819== HEAP SUMMARY:
==7819== in use at exit: 16 bytes in 1 blocks
==7819== total heap usage: 1 allocs, 0 frees, 16 bytes allocated
==7819==
==7819== LEAK SUMMARY:
==7819== definitely lost: 16 bytes in 1 blocks
==7819== indirectly lost: 0 bytes in 0 blocks
==7819== possibly lost: 0 bytes in 0 blocks
==7819== still reachable: 0 bytes in 0 blocks
==7819== suppressed: 0 bytes in 0 blocks
==7819== Rerun with --leak-check=full to see details of leaked memory
==7819==
==7819== For counts of detected and suppressed errors, rerun with: -v
==7819== ERROR SUMMARY: 6 errors from 4 contexts (suppressed: 0 from 0)
