From 4a28f4d55a6cc33474c0792fe93b5942d81bf185 Mon Sep 17 00:00:00 2001
From: Andreas Schwab <schwab@suse.de>
Date: Thu, 26 Feb 2015 14:55:24 +0100
Subject: [PATCH] Fix read past end of pattern in fnmatch (bug 18032)

---
 ChangeLog            | 7 +++++++
 NEWS                 | 2 +-
 posix/fnmatch_loop.c | 5 ++---
 posix/tst-fnmatch3.c | 8 +++++---
 4 files changed, 15 insertions(+), 7 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 432c35d5aa..90c42c85a3 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2015-02-26  Andreas Schwab  <schwab@suse.de>
+
+	[BZ #18032]
+	* posix/fnmatch_loop.c (FCT): Remove extra increment when skipping
+	over collating symbol inside a bracket expression.  Minor cleanup.
+	* posix/tst-fnmatch3.c (do_test): Add test case.
+
 2015-02-26  Joseph Myers  <joseph@codesourcery.com>
 
 	[BZ #18029]
diff --git a/NEWS b/NEWS
index 75e83e0a17..77e081464d 100644
--- a/NEWS
+++ b/NEWS
@@ -12,7 +12,7 @@ Version 2.22
   4719, 14841, 13064, 14094, 15319, 15467, 15790, 15969, 16560, 16783,
   17269, 17523, 17569, 17588, 17792, 17836, 17912, 17916, 17932, 17944,
   17949, 17964, 17965, 17967, 17969, 17978, 17987, 17991, 17996, 17998,
-  17999, 18019, 18020, 18029.
+  17999, 18019, 18020, 18029, 18032.
 
 * Character encoding and ctype tables were updated to Unicode 7.0.0, using
   new generator scripts contributed by Pravin Satpute and Mike FABIAN (Red
diff --git a/posix/fnmatch_loop.c b/posix/fnmatch_loop.c
index c0cb2fc3e6..72c5d8f041 100644
--- a/posix/fnmatch_loop.c
+++ b/posix/fnmatch_loop.c
@@ -945,14 +945,13 @@ FCT (pattern, string, string_end, no_leading_period, flags, ends, alloca_used)
 		  }
 		else if (c == L('[') && *p == L('.'))
 		  {
-		    ++p;
 		    while (1)
 		      {
 			c = *++p;
-			if (c == '\0')
+			if (c == L('\0'))
 			  return FNM_NOMATCH;
 
-			if (*p == L('.') && p[1] == L(']'))
+			if (c == L('.') && p[1] == L(']'))
 			  break;
 		      }
 		    p += 2;
diff --git a/posix/tst-fnmatch3.c b/posix/tst-fnmatch3.c
index d27a557c7c..75bc00a2c5 100644
--- a/posix/tst-fnmatch3.c
+++ b/posix/tst-fnmatch3.c
@@ -21,9 +21,11 @@
 int
 do_test (void)
 {
-  const char *pattern = "[[:alpha:]'[:alpha:]\0]";
-
-  return fnmatch (pattern, "a", 0) != FNM_NOMATCH;
+  if (fnmatch ("[[:alpha:]'[:alpha:]\0]", "a", 0) != FNM_NOMATCH)
+    return 1;
+  if (fnmatch ("[a[.\0.]]", "a", 0) != FNM_NOMATCH)
+    return 1;
+  return 0;
 }
 
 #define TEST_FUNCTION do_test ()
-- 
2.11.4.GIT