From 5159be88ad50641d9843289adda791ba300421ff Mon Sep 17 00:00:00 2001 From: Hong Xu Date: Tue, 14 Apr 2026 23:11:39 -0700 Subject: [PATCH] Merge commit from fork Completes the buffer-overflow fix from #87, which bounded writes into `pcre_str` but left the initial `strcpy` of `pattern` into `l_pattern` at the top of `ec_glob` unguarded. Sufficiently long patterns smash the stack before any of the bounds-checked code runs. Fix CVE-2026-40489 --- src/lib/ec_glob.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/lib/ec_glob.c b/src/lib/ec_glob.c index 18f98c1..8b1613f 100644 --- a/src/lib/ec_glob.c +++ b/src/lib/ec_glob.c @@ -96,8 +96,12 @@ int ec_glob(const char *pattern, const char *string) _Bool are_braces_paired = 1; UT_array * nums; /* number ranges */ int ret = 0; + size_t pattern_len = strlen(pattern); - strcpy(l_pattern, pattern); + /* Reject patterns that would overflow l_pattern in the copy below. */ + if (pattern_len >= sizeof(l_pattern)) + return -1; + memcpy(l_pattern, pattern, pattern_len + 1); p_pcre = pcre_str + 1; pcre_str_end = pcre_str + 2 * PATTERN_MAX;