new file mode 100644

@@ -0,0 +1,2220 @@

+2017-10-21  Florian Weimer  <fweimer@redhat.com>

+

+	* posix/Makefile (tests): Add tst-glob-tilde.

+	(tests-special): Add tst-glob-tilde-mem.out

+	(tst-glob-tilde-ENV): Set MALLOC_TRACE.

+	(tst-glob-tilde-mem.out): Add mtrace check.

+	* posix/tst-glob-tilde.c: New file.

+

+2017-09-08  Adhemerval Zanella  <adhemerval.zanella@linaro.org>

+

+	[BZ #1062]

+	[BZ #22325]

+	CVE-2017-15671

+	* posix/Makefile (routines): Add globfree, globfree64, and

+	glob_pattern_p.

+	* posix/flexmember.h: New file.

+	* posix/glob_internal.h: Likewise.

+	* posix/glob_pattern_p.c: Likewise.

+	* posix/globfree.c: Likewise.

+	* posix/globfree64.c: Likewise.

+	* sysdeps/gnu/globfree64.c: Likewise.

+	* sysdeps/unix/sysv/linux/alpha/globfree.c: Likewise.

+	* sysdeps/unix/sysv/linux/mips/mips64/n64/globfree64.c: Likewise.

+	* sysdeps/unix/sysv/linux/oldglob.c: Likewise.

+	* sysdeps/unix/sysv/linux/wordsize-64/globfree64.c: Likewise.

+	* sysdeps/unix/sysv/linux/x86_64/x32/globfree.c: Likewise.

+	* sysdeps/wordsize-64/globfree.c: Likewise.

+	* sysdeps/wordsize-64/globfree64.c: Likewise.

+	* posix/glob.c (HAVE_CONFIG_H): Use !_LIBC instead.

+	[NDEBUG): Remove comments.

+	(GLOB_ONLY_P, _AMIGA, VMS): Remove define.

+	(dirent_type): New type.  Use uint_fast8_t not

+	uint8_t, as C99 does not require uint8_t.

+	(DT_UNKNOWN, DT_DIR, DT_LNK): New macros.

+	(struct readdir_result): Use dirent_type.  Do not define skip_entry

+	unless it is needed; this saves a byte on platforms lacking d_ino.

+	(readdir_result_type, readdir_result_skip_entry):

+	New functions, replacing ...

+	(readdir_result_might_be_symlink, readdir_result_might_be_dir):

+	 these functions, which were removed.  This makes the callers

+	easier to read.  All callers changed.

+	(D_INO_TO_RESULT): Now empty if there is no d_ino.

+	(size_add_wrapv, glob_use_alloca): New static functions.

+	(glob, glob_in_dir): Check for size_t overflow in several places,

+	and fix some size_t checks that were not quite right.

+	Remove old code using SHELL since Bash no longer

+	uses this.

+	(glob, prefix_array): Separate MS code better.

+	(glob_in_dir): Remove old Amiga and VMS code.

+	(globfree, __glob_pattern_type, __glob_pattern_p): Move to

+	separate files.

+	(glob_in_dir): Do not rely on undefined behavior in accessing

+	struct members beyond their bounds.  Use a flexible array member

+	instead

+	(link_stat): Rename from link_exists2_p and return -1/0 instead of

+	0/1.  Caller changed.

+	(glob): Fix memory leaks.

+	* posix/glob64 (globfree64): Move to separate file.

+	* sysdeps/gnu/glob64.c (NO_GLOB_PATTERN_P): Remove define.

+	(globfree64): Remove hidden alias.

+	* sysdeps/unix/sysv/linux/Makefile (sysdeps_routines): Add

+	oldglob.

+	* sysdeps/unix/sysv/linux/alpha/glob.c (__new_globfree): Move to

+	separate file.

+	* sysdeps/unix/sysv/linux/i386/glob64.c (NO_GLOB_PATTERN_P): Remove

+	define.

+	Move compat code to separate file.

+	* sysdeps/wordsize-64/glob.c (globfree): Move definitions to

+	separate file.

+

+2017-08-20  H.J. Lu  <hongjiu.lu@intel.com>

+

+	[BZ #18822]

+	* sysdeps/unix/sysv/linux/i386/glob64.c (__old_glob64): Add

+	libc_hidden_proto and libc_hidden_def.

+

+Index: glibc-2.22/posix/Makefile

+===================================================================

+--- glibc-2.22.orig/posix/Makefile

+@@ -43,7 +43,7 @@ routines :=								      \

+ 	getpgid setpgid getpgrp bsd-getpgrp setpgrp getsid setsid	      \

+ 	getresuid getresgid setresuid setresgid				      \

+ 	pathconf sysconf fpathconf					      \

+-	glob glob64 fnmatch regex					      \

++	glob glob64 globfree globfree64 glob_pattern_p fnmatch regex	      \

+ 	confstr								      \

+ 	getopt getopt1 getopt_init					      \

+ 	sched_setp sched_getp sched_sets sched_gets sched_yield sched_primax  \

+@@ -87,7 +87,7 @@ tests		:= tstgetopt testfnm runtests run

+ 		   bug-getopt1 bug-getopt2 bug-getopt3 bug-getopt4 \

+ 		   bug-getopt5 tst-getopt_long1 bug-regex34 bug-regex35 \

+ 		   tst-pathconf tst-getaddrinfo4 tst-rxspencer-no-utf8 \

+-		   tst-fnmatch3 bug-regex36 tst-getaddrinfo5

++		   tst-fnmatch3 bug-regex36 tst-getaddrinfo5 tst-glob-tilde

+ xtests		:= bug-ga2

+ ifeq (yes,$(build-shared))

+ test-srcs	:= globtest

+@@ -130,7 +130,8 @@ tests-special += $(objpfx)bug-regex2-mem

+ 		 $(objpfx)tst-rxspencer-no-utf8-mem.out $(objpfx)tst-pcre-mem.out \

+ 		 $(objpfx)tst-boost-mem.out $(objpfx)tst-getconf.out \

+ 		 $(objpfx)bug-glob2-mem.out $(objpfx)tst-vfork3-mem.out \

+-		 $(objpfx)tst-fnmatch-mem.out $(objpfx)bug-regex36-mem.out

++		 $(objpfx)tst-fnmatch-mem.out $(objpfx)bug-regex36-mem.out \

++		 $(objpfx)tst-glob-tilde-mem.out

+ xtests-special += $(objpfx)bug-ga2-mem.out

+ endif

+ 

+@@ -307,6 +308,12 @@ $(objpfx)bug-glob2-mem.out: $(objpfx)bug

+ 	$(common-objpfx)malloc/mtrace $(objpfx)bug-glob2.mtrace > $@; \

+ 	$(evaluate-test)

+ 

++tst-glob-tilde-ENV = MALLOC_TRACE=$(objpfx)tst-glob-tilde.mtrace

++

++$(objpfx)tst-glob-tilde-mem.out: $(objpfx)tst-glob-tilde.out

++	$(common-objpfx)malloc/mtrace $(objpfx)tst-glob-tilde.mtrace > $@; \

++	$(evaluate-test)

++

+ $(inst_libexecdir)/getconf: $(inst_bindir)/getconf \

+ 			    $(objpfx)getconf.speclist FORCE

+ 	$(addprefix $(..)./scripts/mkinstalldirs ,\

+Index: glibc-2.22/posix/flexmember.h

+===================================================================

+--- /dev/null

+@@ -0,0 +1,45 @@

++/* Sizes of structs with flexible array members.

++

++   Copyright 2016-2017 Free Software Foundation, Inc.

++

++   This file is part of the GNU C Library.

++

++   The GNU C Library is free software; you can redistribute it and/or

++   modify it under the terms of the GNU Lesser General Public

++   License as published by the Free Software Foundation; either

++   version 2.1 of the License, or (at your option) any later version.

++

++   The GNU C Library is distributed in the hope that it will be useful,

++   but WITHOUT ANY WARRANTY; without even the implied warranty of

++   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU

++   Lesser General Public License for more details.

++

++   You should have received a copy of the GNU Lesser General Public

++   License along with the GNU C Library; if not, see

++   <http://www.gnu.org/licenses/>.

++

++   Written by Paul Eggert.  */

++

++#include <stddef.h>

++

++/* Nonzero multiple of alignment of TYPE, suitable for FLEXSIZEOF below.

++   On older platforms without _Alignof, use a pessimistic bound that is

++   safe in practice even if FLEXIBLE_ARRAY_MEMBER is 1.

++   On newer platforms, use _Alignof to get a tighter bound.  */

++

++#if !defined __STDC_VERSION__ || __STDC_VERSION__ < 201112

++# define FLEXALIGNOF(type) (sizeof (type) & ~ (sizeof (type) - 1))

++#else

++# define FLEXALIGNOF(type) _Alignof (type)

++#endif

++

++/* Upper bound on the size of a struct of type TYPE with a flexible

++   array member named MEMBER that is followed by N bytes of other data.

++   This is not simply sizeof (TYPE) + N, since it may require

++   alignment on unusually picky C11 platforms, and

++   FLEXIBLE_ARRAY_MEMBER may be 1 on pre-C11 platforms.

++   Yield a value less than N if and only if arithmetic overflow occurs.  */

++

++#define FLEXSIZEOF(type, member, n) \

++   ((offsetof (type, member) + FLEXALIGNOF (type) - 1 + (n)) \

++    & ~ (FLEXALIGNOF (type) - 1))

+Index: glibc-2.22/posix/glob.c

+===================================================================

+--- glibc-2.22.orig/posix/glob.c

+@@ -15,7 +15,7 @@

+    License along with the GNU C Library; if not, see

+    <http://www.gnu.org/licenses/>.  */

+ 

+-#ifdef	HAVE_CONFIG_H

++#ifndef _LIBC

+ # include <config.h>

+ #endif

+ 

+@@ -27,29 +27,15 @@

+ #include <stdbool.h>

+ #include <stddef.h>

+ #include <stdint.h>

+-

+-/* Outcomment the following line for production quality code.  */

+-/* #define NDEBUG 1 */

+ #include <assert.h>

++#include <unistd.h>

+ 

+-#include <stdio.h>		/* Needed on stupid SunOS for assert.  */

+-

+-#if !defined _LIBC || !defined GLOB_ONLY_P

+-#if defined HAVE_UNISTD_H || defined _LIBC

+-# include <unistd.h>

+-# ifndef POSIX

+-#  ifdef _POSIX_VERSION

+-#   define POSIX

+-#  endif

+-# endif

++#if (defined _WIN32 || defined __WIN32__) && ! defined __CYGWIN__

++# define WINDOWS32

+ #endif

+ 

+-#include <pwd.h>

+-

+-#if defined HAVE_STDINT_H || defined _LIBC

+-# include <stdint.h>

+-#elif !defined UINTPTR_MAX

+-# define UINTPTR_MAX (~((size_t) 0))

++#ifndef WINDOWS32

++# include <pwd.h>

+ #endif

+ 

+ #include <errno.h>

+@@ -57,24 +43,7 @@

+ # define __set_errno(val) errno = (val)

+ #endif

+ 

+-#if defined HAVE_DIRENT_H || defined __GNU_LIBRARY__

+-# include <dirent.h>

+-#else

+-# define dirent direct

+-# ifdef HAVE_SYS_NDIR_H

+-#  include <sys/ndir.h>

+-# endif

+-# ifdef HAVE_SYS_DIR_H

+-#  include <sys/dir.h>

+-# endif

+-# ifdef HAVE_NDIR_H

+-#  include <ndir.h>

+-# endif

+-# ifdef HAVE_VMSDIR_H

+-#  include "vmsdir.h"

+-# endif /* HAVE_VMSDIR_H */

+-#endif

+-

++#include <dirent.h>

+ #include <stdlib.h>

+ #include <string.h>

+ #include <alloca.h>

+@@ -87,27 +56,29 @@

+ # define opendir(name) __opendir (name)

+ # define readdir(str) __readdir64 (str)

+ # define getpwnam_r(name, bufp, buf, len, res) \

+-   __getpwnam_r (name, bufp, buf, len, res)

++    __getpwnam_r (name, bufp, buf, len, res)

+ # ifndef __stat64

+ #  define __stat64(fname, buf) __xstat64 (_STAT_VER, fname, buf)

+ # endif

+ # define struct_stat64		struct stat64

++# define FLEXIBLE_ARRAY_MEMBER

+ #else /* !_LIBC */

+-# include "getlogin_r.h"

+-# include "mempcpy.h"

+-# include "stat-macros.h"

+-# include "strdup.h"

+-# define __stat64(fname, buf)	stat (fname, buf)

+-# define struct_stat64		struct stat

+-# define __stat(fname, buf)	stat (fname, buf)

+-# define __alloca		alloca

+-# define __readdir		readdir

+-# define __readdir64		readdir64

+-# define __glob_pattern_p	glob_pattern_p

++# define __getlogin_r(buf, len) getlogin_r (buf, len)

++# define __stat64(fname, buf)   stat (fname, buf)

++# define __fxstatat64(_, d, f, st, flag) fstatat (d, f, st, flag)

++# define struct_stat64          struct stat

++# ifndef __MVS__

++#  define __alloca              alloca

++# endif

++# define __readdir              readdir

++# define COMPILE_GLOB64

+ #endif /* _LIBC */

+ 

+ #include <fnmatch.h>

+ 

++#include <flexmember.h>

++#include <glob_internal.h>

++

+ #ifdef _SC_GETPW_R_SIZE_MAX

+ # define GETPW_R_SIZE_MAX()	sysconf (_SC_GETPW_R_SIZE_MAX)

+ #else

+@@ -121,61 +92,59 @@

+ 

+ static const char *next_brace_sub (const char *begin, int flags) __THROWNL;

+ 

++typedef uint_fast8_t dirent_type;

++

++#if !defined _LIBC && !defined HAVE_STRUCT_DIRENT_D_TYPE

++/* Any distinct values will do here.

++   Undef any existing macros out of the way.  */

++# undef DT_UNKNOWN

++# undef DT_DIR

++# undef DT_LNK

++# define DT_UNKNOWN 0

++# define DT_DIR 1

++# define DT_LNK 2

++#endif

++

+ /* A representation of a directory entry which does not depend on the

+    layout of struct dirent, or the size of ino_t.  */

+ struct readdir_result

+ {

+   const char *name;

+-# if defined _DIRENT_HAVE_D_TYPE || defined HAVE_STRUCT_DIRENT_D_TYPE

+-  uint8_t type;

+-# endif

++#if defined _DIRENT_HAVE_D_TYPE || defined HAVE_STRUCT_DIRENT_D_TYPE

++  dirent_type type;

++#endif

++#if defined _LIBC || defined D_INO_IN_DIRENT

+   bool skip_entry;

++#endif

+ };

+ 

+-# if defined _DIRENT_HAVE_D_TYPE || defined HAVE_STRUCT_DIRENT_D_TYPE

+-/* Initializer based on the d_type member of struct dirent.  */

+-#  define D_TYPE_TO_RESULT(source) (source)->d_type,

+-

+-/* True if the directory entry D might be a symbolic link.  */

+-static bool

+-readdir_result_might_be_symlink (struct readdir_result d)

+-{

+-  return d.type == DT_UNKNOWN || d.type == DT_LNK;

+-}

+-

+-/* True if the directory entry D might be a directory.  */

+-static bool

+-readdir_result_might_be_dir (struct readdir_result d)

++/* Initialize and return type member of struct readdir_result.  */

++static dirent_type

++readdir_result_type (struct readdir_result d)

+ {

+-  return d.type == DT_DIR || readdir_result_might_be_symlink (d);

+-}

+-# else /* defined _DIRENT_HAVE_D_TYPE || defined HAVE_STRUCT_DIRENT_D_TYPE */

+-#  define D_TYPE_TO_RESULT(source)

+-

+-/* If we do not have type information, symbolic links and directories

+-   are always a possibility.  */

+-

+-static bool

+-readdir_result_might_be_symlink (struct readdir_result d)

+-{

+-  return true;

++#if defined _DIRENT_HAVE_D_TYPE || defined HAVE_STRUCT_DIRENT_D_TYPE

++# define D_TYPE_TO_RESULT(source) (source)->d_type,

++  return d.type;

++#else

++# define D_TYPE_TO_RESULT(source)

++  return DT_UNKNOWN;

++#endif

+ }

+ 

++/* Initialize and return skip_entry member of struct readdir_result.  */

+ static bool

+-readdir_result_might_be_dir (struct readdir_result d)

++readdir_result_skip_entry (struct readdir_result d)

+ {

+-  return true;

+-}

+-

+-# endif /* defined _DIRENT_HAVE_D_TYPE || defined HAVE_STRUCT_DIRENT_D_TYPE */

+-

+-# if (defined POSIX || defined WINDOWS32) && !defined __GNU_LIBRARY__

+ /* Initializer for skip_entry.  POSIX does not require that the d_ino

+    field be present, and some systems do not provide it. */

+-#  define D_INO_TO_RESULT(source) false,

+-# else

+-#  define D_INO_TO_RESULT(source) (source)->d_ino == 0,

+-# endif

++#if defined _LIBC || defined D_INO_IN_DIRENT

++# define D_INO_TO_RESULT(source) (source)->d_ino == 0,

++  return d.skip_entry;

++#else

++# define D_INO_TO_RESULT(source)

++  return false;

++#endif

++}

+ 

+ /* Construct an initializer for a struct readdir_result object from a

+    struct dirent *.  No copy of the name is made.  */

+@@ -186,8 +155,6 @@ readdir_result_might_be_dir (struct read

+     D_INO_TO_RESULT (source)		   \

+   }

+ 

+-#endif /* !defined _LIBC || !defined GLOB_ONLY_P */

+-

+ /* Call gl_readdir on STREAM.  This macro can be overridden to reduce

+    type safety if an old interface version needs to be supported.  */

+ #ifndef GL_READDIR

+@@ -225,18 +192,55 @@ convert_dirent64 (const struct dirent64

+ }

+ #endif

+ 

++#ifndef _LIBC

++/* The results of opendir() in this file are not used with dirfd and fchdir,

++   and we do not leak fds to any single-threaded code that could use stdio,

++   therefore save some unnecessary recursion in fchdir.c and opendir_safer.c.

++   FIXME - if the kernel ever adds support for multi-thread safety for

++   avoiding standard fds, then we should use opendir_safer.  */

++# ifdef GNULIB_defined_opendir

++#  undef opendir

++# endif

++# ifdef GNULIB_defined_closedir

++#  undef closedir

++# endif

+ 

+-#ifndef attribute_hidden

+-# define attribute_hidden

++/* Just use malloc.  */

++# define __libc_use_alloca(n) false

++# define alloca_account(len, avar) ((void) (len), (void) (avar), (void *) 0)

++# define extend_alloca_account(buf, len, newlen, avar) \

++    ((void) (buf), (void) (len), (void) (newlen), (void) (avar), (void *) 0)

+ #endif

+ 

++/* Set *R = A + B.  Return true if the answer is mathematically

++   incorrect due to overflow; in this case, *R is the low order

++   bits of the correct answer.  */

++

++static bool

++size_add_wrapv (size_t a, size_t b, size_t *r)

++{

++#if 5 <= __GNUC__ && !defined __ICC

++  return __builtin_add_overflow (a, b, r);

++#else

++  *r = a + b;

++  return *r < a;

++#endif

++}

++

++static bool

++glob_use_alloca (size_t alloca_used, size_t len)

++{

++  size_t size;

++  return (!size_add_wrapv (alloca_used, len, &size)

++          && __libc_use_alloca (size));

++}

++

+ static int glob_in_dir (const char *pattern, const char *directory,

+ 			int flags, int (*errfunc) (const char *, int),

+ 			glob_t *pglob, size_t alloca_used);

+ extern int __glob_pattern_type (const char *pattern, int quote)

+     attribute_hidden;

+ 

+-#if !defined _LIBC || !defined GLOB_ONLY_P

+ static int prefix_array (const char *prefix, char **array, size_t n) __THROWNL;

+ static int collated_compare (const void *, const void *) __THROWNL;

+ 

+@@ -265,16 +269,15 @@ next_brace_sub (const char *cp, int flag

+   return *cp != '\0' ? cp : NULL;

+ }

+ 

+-#endif /* !defined _LIBC || !defined GLOB_ONLY_P */

+ 

+ /* Do glob searching for PATTERN, placing results in PGLOB.

+    The bits defined above may be set in FLAGS.

+    If a directory cannot be opened or read and ERRFUNC is not nil,

+    it is called with the pathname that caused the error, and the

+-   `errno' value from the failing call; if it returns non-zero

+-   `glob' returns GLOB_ABORTED; if it returns zero, the error is ignored.

++   'errno' value from the failing call; if it returns non-zero

++   'glob' returns GLOB_ABORTED; if it returns zero, the error is ignored.

+    If memory cannot be allocated for PGLOB, GLOB_NOSPACE is returned.

+-   Otherwise, `glob' returns zero.  */

++   Otherwise, 'glob' returns zero.  */

+ int

+ #ifdef GLOB_ATTRIBUTE

+ GLOB_ATTRIBUTE

+@@ -295,9 +298,7 @@ glob (pattern, flags, errfunc, pglob)

+   int malloc_dirname = 0;

+   glob_t dirs;

+   int retval = 0;

+-#ifdef _LIBC

+   size_t alloca_used = 0;

+-#endif

+ 

+   if (pattern == NULL || pglob == NULL || (flags & ~__GLOB_FLAGS) != 0)

+     {

+@@ -311,7 +312,7 @@ glob (pattern, flags, errfunc, pglob)

+     flags |= GLOB_ONLYDIR;

+ 

+   if (!(flags & GLOB_DOOFFS))

+-    /* Have to do this so `globfree' knows where to start freeing.  It

++    /* Have to do this so 'globfree' knows where to start freeing.  It

+        also makes all the code that uses gl_offs simpler. */

+     pglob->gl_offs = 0;

+ 

+@@ -353,14 +354,12 @@ glob (pattern, flags, errfunc, pglob)

+ 	  size_t rest_len;

+ 	  char *onealt;

+ 	  size_t pattern_len = strlen (pattern) - 1;

+-#ifdef _LIBC

+-	  int alloca_onealt = __libc_use_alloca (alloca_used + pattern_len);

++	  int alloca_onealt = glob_use_alloca (alloca_used, pattern_len);

+ 	  if (alloca_onealt)

+ 	    onealt = alloca_account (pattern_len, alloca_used);

+ 	  else

+-#endif

+ 	    {

+-	      onealt = (char *) malloc (pattern_len);

++	      onealt = malloc (pattern_len);

+ 	      if (onealt == NULL)

+ 		{

+ 		  if (!(flags & GLOB_APPEND))

+@@ -380,11 +379,9 @@ glob (pattern, flags, errfunc, pglob)

+ 	  next = next_brace_sub (begin + 1, flags);

+ 	  if (next == NULL)

+ 	    {

+-	      /* It is an illegal expression.  */

++	      /* It is an invalid expression.  */

+ 	    illegal_brace:

+-#ifdef _LIBC

+ 	      if (__glibc_unlikely (!alloca_onealt))

+-#endif

+ 		free (onealt);

+ 	      return glob (pattern, flags & ~GLOB_BRACE, errfunc, pglob);

+ 	    }

+@@ -432,9 +429,7 @@ glob (pattern, flags, errfunc, pglob)

+ 	      /* If we got an error, return it.  */

+ 	      if (result && result != GLOB_NOMATCH)

+ 		{

+-#ifdef _LIBC

+ 		  if (__glibc_unlikely (!alloca_onealt))

+-#endif

+ 		    free (onealt);

+ 		  if (!(flags & GLOB_APPEND))

+ 		    {

+@@ -453,9 +448,7 @@ glob (pattern, flags, errfunc, pglob)

+ 	      assert (next != NULL);

+ 	    }

+ 

+-#ifdef _LIBC

+ 	  if (__glibc_unlikely (!alloca_onealt))

+-#endif

+ 	    free (onealt);

+ 

+ 	  if (pglob->gl_pathc != firstc)

+@@ -492,14 +485,16 @@ glob (pattern, flags, errfunc, pglob)

+ 

+   /* Find the filename.  */

+   filename = strrchr (pattern, '/');

++

+ #if defined __MSDOS__ || defined WINDOWS32

+-  /* The case of "d:pattern".  Since `:' is not allowed in

++  /* The case of "d:pattern".  Since ':' is not allowed in

+      file names, we can safely assume that wherever it

+      happens in pattern, it signals the filename part.  This

+      is so we could some day support patterns like "[a-z]:foo".  */

+   if (filename == NULL)

+     filename = strchr (pattern, ':');

+ #endif /* __MSDOS__ || WINDOWS32 */

++

+   dirname_modified = 0;

+   if (filename == NULL)

+     {

+@@ -524,11 +519,7 @@ glob (pattern, flags, errfunc, pglob)

+ 	    }

+ 

+ 	  filename = pattern;

+-#ifdef _AMIGA

+-	  dirname = (char *) "";

+-#else

+ 	  dirname = (char *) ".";

+-#endif

+ 	  dirlen = 0;

+ 	}

+     }

+@@ -552,22 +543,21 @@ glob (pattern, flags, errfunc, pglob)

+ 	  char *drive_spec;

+ 

+ 	  ++dirlen;

+-	  drive_spec = (char *) __alloca (dirlen + 1);

++	  drive_spec = __alloca (dirlen + 1);

+ 	  *((char *) mempcpy (drive_spec, pattern, dirlen)) = '\0';

+ 	  /* For now, disallow wildcards in the drive spec, to

+ 	     prevent infinite recursion in glob.  */

+ 	  if (__glob_pattern_p (drive_spec, !(flags & GLOB_NOESCAPE)))

+ 	    return GLOB_NOMATCH;

+-	  /* If this is "d:pattern", we need to copy `:' to DIRNAME

++	  /* If this is "d:pattern", we need to copy ':' to DIRNAME

+ 	     as well.  If it's "d:/pattern", don't remove the slash

+ 	     from "d:/", since "d:" and "d:/" are not the same.*/

+ 	}

+ #endif

+-#ifdef _LIBC

+-      if (__libc_use_alloca (alloca_used + dirlen + 1))

++

++      if (glob_use_alloca (alloca_used, dirlen + 1))

+ 	newp = alloca_account (dirlen + 1, alloca_used);

+       else

+-#endif

+ 	{

+ 	  newp = malloc (dirlen + 1);

+ 	  if (newp == NULL)

+@@ -578,14 +568,17 @@ glob (pattern, flags, errfunc, pglob)

+       dirname = newp;

+       ++filename;

+ 

+-      if (filename[0] == '\0'

+ #if defined __MSDOS__ || defined WINDOWS32

+-	  && dirname[dirlen - 1] != ':'

+-	  && (dirlen < 3 || dirname[dirlen - 2] != ':'

+-	      || dirname[dirlen - 1] != '/')

++      bool drive_root = (dirlen > 1

++                         && (dirname[dirlen - 1] == ':'

++                             || (dirlen > 2 && dirname[dirlen - 2] == ':'

++                                 && dirname[dirlen - 1] == '/')));

++#else

++      bool drive_root = false;

+ #endif

+-	  && dirlen > 1)

+-	/* "pattern/".  Expand "pattern", appending slashes.  */

++

++      if (filename[0] == '\0' && dirlen > 1 && !drive_root)

++        /* "pattern/".  Expand "pattern", appending slashes.  */

+ 	{

+ 	  int orig_flags = flags;

+ 	  if (!(flags & GLOB_NOESCAPE) && dirname[dirlen - 1] == '\\')

+@@ -618,7 +611,6 @@ glob (pattern, flags, errfunc, pglob)

+ 	}

+     }

+ 

+-#ifndef VMS

+   if ((flags & (GLOB_TILDE|GLOB_TILDE_CHECK)) && dirname[0] == '~')

+     {

+       if (dirname[1] == '\0' || dirname[1] == '/'

+@@ -628,100 +620,127 @@ glob (pattern, flags, errfunc, pglob)

+ 	  /* Look up home directory.  */

+ 	  char *home_dir = getenv ("HOME");

+ 	  int malloc_home_dir = 0;

+-# ifdef _AMIGA

+-	  if (home_dir == NULL || home_dir[0] == '\0')

+-	    home_dir = "SYS:";

+-# else

+-#  ifdef WINDOWS32

+-	  if (home_dir == NULL || home_dir[0] == '\0')

+-	    home_dir = "c:/users/default"; /* poor default */

+-#  else

+ 	  if (home_dir == NULL || home_dir[0] == '\0')

+ 	    {

++#ifdef WINDOWS32

++	      /* Windows NT defines HOMEDRIVE and HOMEPATH.  But give

++		 preference to HOME, because the user can change HOME.  */

++	      const char *home_drive = getenv ("HOMEDRIVE");

++	      const char *home_path = getenv ("HOMEPATH");

++

++	      if (home_drive != NULL && home_path != NULL)

++		{

++		  size_t home_drive_len = strlen (home_drive);

++		  size_t home_path_len = strlen (home_path);

++		  char *mem = alloca (home_drive_len + home_path_len + 1);

++

++		  memcpy (mem, home_drive, home_drive_len);

++		  memcpy (mem + home_drive_len, home_path, home_path_len + 1);

++		  home_dir = mem;

++		}

++	      else

++		home_dir = "c:/users/default"; /* poor default */

++#else

+ 	      int success;

+ 	      char *name;

++	      int malloc_name = 0;

+ 	      size_t buflen = GET_LOGIN_NAME_MAX () + 1;

+ 

+ 	      if (buflen == 0)

+-		/* `sysconf' does not support _SC_LOGIN_NAME_MAX.  Try

++		/* 'sysconf' does not support _SC_LOGIN_NAME_MAX.  Try

+ 		   a moderate value.  */

+ 		buflen = 20;

+-	      name = alloca_account (buflen, alloca_used);

++	      if (glob_use_alloca (alloca_used, buflen))

++		name = alloca_account (buflen, alloca_used);

++	      else

++		{

++		  name = malloc (buflen);

++		  if (name == NULL)

++		    {

++		      retval = GLOB_NOSPACE;

++		      goto out;

++		    }

++		  malloc_name = 1;

++		}

+ 

+ 	      success = __getlogin_r (name, buflen) == 0;

+ 	      if (success)

+ 		{

+ 		  struct passwd *p;

+-#   if defined HAVE_GETPWNAM_R || defined _LIBC

+-		  long int pwbuflen = GETPW_R_SIZE_MAX ();

++		  char *malloc_pwtmpbuf = NULL;

+ 		  char *pwtmpbuf;

++# if defined HAVE_GETPWNAM_R || defined _LIBC

++		  long int pwbuflenmax = GETPW_R_SIZE_MAX ();

++		  size_t pwbuflen = pwbuflenmax;

+ 		  struct passwd pwbuf;

+-		  int malloc_pwtmpbuf = 0;

+ 		  int save = errno;

+ 

+-#    ifndef _LIBC

+-		  if (pwbuflen == -1)

+-		    /* `sysconf' does not support _SC_GETPW_R_SIZE_MAX.

++#  ifndef _LIBC

++		  if (! (0 < pwbuflenmax && pwbuflenmax <= SIZE_MAX))

++		    /* 'sysconf' does not support _SC_GETPW_R_SIZE_MAX.

+ 		       Try a moderate value.  */

+ 		    pwbuflen = 1024;

+-#    endif

+-		  if (__libc_use_alloca (alloca_used + pwbuflen))

++#  endif

++		  if (glob_use_alloca (alloca_used, pwbuflen))

+ 		    pwtmpbuf = alloca_account (pwbuflen, alloca_used);

+ 		  else

+ 		    {

+ 		      pwtmpbuf = malloc (pwbuflen);

+ 		      if (pwtmpbuf == NULL)

+ 			{

++			  if (__glibc_unlikely (malloc_name))

++			    free (name);

+ 			  retval = GLOB_NOSPACE;

+ 			  goto out;

+ 			}

+-		      malloc_pwtmpbuf = 1;

++		      malloc_pwtmpbuf = pwtmpbuf;

+ 		    }

+ 

+ 		  while (getpwnam_r (name, &pwbuf, pwtmpbuf, pwbuflen, &p)

+ 			 != 0)

+ 		    {

++		      size_t newlen;

++		      bool v;

+ 		      if (errno != ERANGE)

+ 			{

+ 			  p = NULL;

+ 			  break;

+ 			}

+-

+-		      if (!malloc_pwtmpbuf

+-			  && __libc_use_alloca (alloca_used

+-						+ 2 * pwbuflen))

++		      v = size_add_wrapv (pwbuflen, pwbuflen, &newlen);

++		      if (!v && malloc_pwtmpbuf == NULL

++			  && glob_use_alloca (alloca_used, newlen))

+ 			pwtmpbuf = extend_alloca_account (pwtmpbuf, pwbuflen,

+-							  2 * pwbuflen,

+-							  alloca_used);

++							  newlen, alloca_used);

+ 		      else

+ 			{

+-			  char *newp = realloc (malloc_pwtmpbuf

+-						? pwtmpbuf : NULL,

+-						2 * pwbuflen);

++			  char *newp = (v ? NULL

++					: realloc (malloc_pwtmpbuf, newlen));

+ 			  if (newp == NULL)

+ 			    {

+-			      if (__glibc_unlikely (malloc_pwtmpbuf))

+-				free (pwtmpbuf);

++			      free (malloc_pwtmpbuf);

++			      if (__glibc_unlikely (malloc_name))

++				free (name);

+ 			      retval = GLOB_NOSPACE;

+ 			      goto out;

+ 			    }

+-			  pwtmpbuf = newp;

+-			  pwbuflen = 2 * pwbuflen;

+-			  malloc_pwtmpbuf = 1;

++			  malloc_pwtmpbuf = pwtmpbuf = newp;

+ 			}

++		      pwbuflen = newlen;

+ 		      __set_errno (save);

+ 		    }

+-#   else

++# else

+ 		  p = getpwnam (name);

+-#   endif

++# endif

++		  if (__glibc_unlikely (malloc_name))

++		    free (name);

+ 		  if (p != NULL)

+ 		    {

+-		      if (!malloc_pwtmpbuf)

++		      if (malloc_pwtmpbuf == NULL)

+ 			home_dir = p->pw_dir;

+ 		      else

+ 			{

+ 			  size_t home_dir_len = strlen (p->pw_dir) + 1;

+-			  if (__libc_use_alloca (alloca_used + home_dir_len))

++			  if (glob_use_alloca (alloca_used, home_dir_len))

+ 			    home_dir = alloca_account (home_dir_len,

+ 						       alloca_used);

+ 			  else

+@@ -736,26 +755,32 @@ glob (pattern, flags, errfunc, pglob)

+ 			      malloc_home_dir = 1;

+ 			    }

+ 			  memcpy (home_dir, p->pw_dir, home_dir_len);

+-

+-			  free (pwtmpbuf);

+ 			}

+ 		    }

++		  free (malloc_pwtmpbuf);

+ 		}

++	      else

++		{

++		  if (__glibc_unlikely (malloc_name))

++		    free (name);

++		}

++#endif /* WINDOWS32 */

+ 	    }

+ 	  if (home_dir == NULL || home_dir[0] == '\0')

+ 	    {

++	      if (__glibc_unlikely (malloc_home_dir))

++		free (home_dir);

+ 	      if (flags & GLOB_TILDE_CHECK)

+ 		{

+-		  if (__glibc_unlikely (malloc_home_dir))

+-		    free (home_dir);

+ 		  retval = GLOB_NOMATCH;

+ 		  goto out;

+ 		}

+ 	      else

+-		home_dir = (char *) "~"; /* No luck.  */

++		{

++		  home_dir = (char *) "~"; /* No luck.  */

++		  malloc_home_dir = 0;

++		}

+ 	    }

+-#  endif /* WINDOWS32 */

+-# endif

+ 	  /* Now construct the full directory.  */

+ 	  if (dirname[1] == '\0')

+ 	    {

+@@ -770,8 +795,7 @@ glob (pattern, flags, errfunc, pglob)

+ 	    {

+ 	      char *newp;

+ 	      size_t home_len = strlen (home_dir);

+-	      int use_alloca = __libc_use_alloca (alloca_used

+-						  + home_len + dirlen);

++	      int use_alloca = glob_use_alloca (alloca_used, home_len + dirlen);

+ 	      if (use_alloca)

+ 		newp = alloca_account (home_len + dirlen, alloca_used);

+ 	      else

+@@ -795,12 +819,15 @@ glob (pattern, flags, errfunc, pglob)

+ 	      dirname = newp;

+ 	      dirlen += home_len - 1;

+ 	      malloc_dirname = !use_alloca;

++

++	      if (__glibc_unlikely (malloc_home_dir))

++		free (home_dir);

+ 	    }

+ 	  dirname_modified = 1;

+ 	}

+-# if !defined _AMIGA && !defined WINDOWS32

+       else

+ 	{

++#ifndef WINDOWS32

+ 	  char *end_name = strchr (dirname, '/');

+ 	  char *user_name;

+ 	  int malloc_user_name = 0;

+@@ -822,7 +849,7 @@ glob (pattern, flags, errfunc, pglob)

+ 	  else

+ 	    {

+ 	      char *newp;

+-	      if (__libc_use_alloca (alloca_used + (end_name - dirname)))

++	      if (glob_use_alloca (alloca_used, end_name - dirname))

+ 		newp = alloca_account (end_name - dirname, alloca_used);

+ 	      else

+ 		{

+@@ -867,20 +894,21 @@ glob (pattern, flags, errfunc, pglob)

+ 	  /* Look up specific user's home directory.  */

+ 	  {

+ 	    struct passwd *p;

++	    char *malloc_pwtmpbuf = NULL;

+ #  if defined HAVE_GETPWNAM_R || defined _LIBC

+-	    long int buflen = GETPW_R_SIZE_MAX ();

++	    long int buflenmax = GETPW_R_SIZE_MAX ();

++	    size_t buflen = buflenmax;