Coverage Report

Created: 2025-06-13 06:43

/src/php-src/main/php_glob.c
Line
Count
Source (jump to first uncovered line)
1
/*
2
 * Copyright (c) 1989, 1993
3
 *  The Regents of the University of California.  All rights reserved.
4
 *
5
 * This code is derived from software contributed to Berkeley by
6
 * Guido van Rossum.
7
 *
8
 * Redistribution and use in source and binary forms, with or without
9
 * modification, are permitted provided that the following conditions
10
 * are met:
11
 * 1. Redistributions of source code must retain the above copyright
12
 *    notice, this list of conditions and the following disclaimer.
13
 * 2. Redistributions in binary form must reproduce the above copyright
14
 *    notice, this list of conditions and the following disclaimer in the
15
 *    documentation and/or other materials provided with the distribution.
16
 * 3. Neither the name of the University nor the names of its contributors
17
 *    may be used to endorse or promote products derived from this software
18
 *    without specific prior written permission.
19
 *
20
 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
21
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
24
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30
 * SUCH DAMAGE.
31
 */
32
33
/*
34
 * glob(3) -- a superset of the one defined in POSIX 1003.2.
35
 *
36
 * The [!...] convention to negate a range is supported (SysV, Posix, ksh).
37
 *
38
 * Optional extra services, controlled by flags not defined by POSIX:
39
 *
40
 * PHP_GLOB_QUOTE:
41
 *  Escaping convention: \ inhibits any special meaning the following
42
 *  character might have (except \ at end of string is retained).
43
 * PHP_GLOB_MAGCHAR:
44
 *  Set in gl_flags if pattern contained a globbing character.
45
 * PHP_GLOB_NOMAGIC:
46
 *  Same as PHP_GLOB_NOCHECK, but it will only append pattern if it did
47
 *  not contain any magic characters.  [Used in csh style globbing]
48
 * PHP_GLOB_ALTDIRFUNC:
49
 *  Use alternately specified directory access functions.
50
 * PHP_GLOB_TILDE:
51
 *  expand ~user/foo to the /home/dir/of/user/foo
52
 * PHP_GLOB_BRACE:
53
 *  expand {1,2}{a,b} to 1a 1b 2a 2b
54
 * gl_matchc:
55
 *  Number of matches in the current invocation of glob.
56
 */
57
58
#include "php_glob.h"
59
60
#if !(defined(HAVE_GLOB) && defined(PHP_SYSTEM_GLOB))
61
62
#ifdef PHP_WIN32
63
#if _MSC_VER < 1800
64
# define _POSIX_
65
# include <limits.h>
66
# undef _POSIX_
67
#else
68
/* Visual Studio 2013 removed all the _POSIX_ defines, but we depend on some */
69
# ifndef ARG_MAX
70
#  define ARG_MAX 14500
71
# endif
72
#endif
73
# ifndef PATH_MAX
74
#  define PATH_MAX MAXPATHLEN
75
# endif
76
/* Windows defines SIZE_MAX but not SSIZE_MAX */
77
# ifndef SSIZE_MAX
78
#  ifdef _WIN64
79
#   define SSIZE_MAX _I64_MAX
80
#  else
81
#   define SSIZE_MAX INT_MAX
82
#  endif
83
# endif
84
#endif
85
86
#ifndef _PW_BUF_LEN
87
/* XXX: Should be sysconf(_SC_GETPW_R_SIZE_MAX), but then VLA */
88
#define _PW_BUF_LEN 4096
89
#endif
90
91
#include "php.h"
92
#include <sys/stat.h>
93
94
#include <ctype.h>
95
#ifndef PHP_WIN32
96
#include <sys/param.h>
97
#include <dirent.h>
98
#include <pwd.h>
99
#include <unistd.h>
100
#endif
101
#include <errno.h>
102
#include <limits.h>
103
#include <stdint.h>
104
#include <stdio.h>
105
#include <stdlib.h>
106
#include <string.h>
107
108
#include "charclass.h"
109
110
#define DOLLAR    '$'
111
0
#define DOT   '.'
112
0
#define EOS   '\0'
113
0
#define LBRACKET  '['
114
0
#define NOT   '!'
115
0
#define QUESTION  '?'
116
0
#define QUOTE   '\\'
117
0
#define RANGE   '-'
118
0
#define RBRACKET  ']'
119
0
#define SEP   DEFAULT_SLASH
120
0
#define STAR    '*'
121
0
#define TILDE   '~'
122
#define UNDERSCORE  '_'
123
0
#define LBRACE    '{'
124
0
#define RBRACE    '}'
125
0
#define SLASH   '/'
126
0
#define COMMA   ','
127
128
#ifndef DEBUG
129
130
0
#define M_QUOTE   0x8000
131
0
#define M_PROTECT 0x4000
132
0
#define M_MASK    0xffff
133
0
#define M_ASCII   0x00ff
134
135
typedef u_short Char;
136
137
#else
138
139
#define M_QUOTE   0x80
140
#define M_PROTECT 0x40
141
#define M_MASK    0xff
142
#define M_ASCII   0x7f
143
144
typedef char Char;
145
146
#endif
147
148
149
0
#define CHAR(c)   ((Char)((c)&M_ASCII))
150
0
#define META(c)   ((Char)((c)|M_QUOTE))
151
0
#define M_ALL   META('*')
152
0
#define M_END   META(']')
153
0
#define M_NOT   META('!')
154
0
#define M_ONE   META('?')
155
0
#define M_RNG   META('-')
156
0
#define M_SET   META('[')
157
0
#define M_CLASS   META(':')
158
0
#define ismeta(c) (((c)&M_QUOTE) != 0)
159
160
0
#define PHP_GLOB_LIMIT_MALLOC 65536
161
0
#define PHP_GLOB_LIMIT_STAT   2048
162
0
#define PHP_GLOB_LIMIT_READDIR  16384
163
164
struct glob_lim {
165
  size_t  glim_malloc;
166
  size_t  glim_stat;
167
  size_t  glim_readdir;
168
};
169
170
struct glob_path_stat {
171
  char    *gps_path;
172
  zend_stat_t *gps_stat;
173
};
174
175
#ifndef HAVE_REALLOCARRAY
176
/*
177
 * XXX: This is temporary to avoid having reallocarray be imported and part of
178
 * PHP's public API. Since it's only needed here and on Windows, we can just
179
 * put it here for now. Convert this file to ZendMM and remove this function
180
 * when that's complete.
181
 */
182
183
/*  $OpenBSD: reallocarray.c,v 1.3 2015/09/13 08:31:47 guenther Exp $ */
184
/*
185
 * Copyright (c) 2008 Otto Moerbeek <otto@drijf.net>
186
 *
187
 * Permission to use, copy, modify, and distribute this software for any
188
 * purpose with or without fee is hereby granted, provided that the above
189
 * copyright notice and this permission notice appear in all copies.
190
 *
191
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
192
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
193
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
194
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
195
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
196
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
197
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
198
 */
199
200
/*
201
 * This is sqrt(SIZE_MAX+1), as s1*s2 <= SIZE_MAX
202
 * if both s1 < MUL_NO_OVERFLOW and s2 < MUL_NO_OVERFLOW
203
 */
204
#define MUL_NO_OVERFLOW ((size_t)1 << (sizeof(size_t) * 4))
205
206
static void *
207
reallocarray(void *optr, size_t nmemb, size_t size)
208
{
209
  if ((nmemb >= MUL_NO_OVERFLOW || size >= MUL_NO_OVERFLOW) &&
210
      nmemb > 0 && SIZE_MAX / nmemb < size) {
211
    errno = ENOMEM;
212
    return NULL;
213
  }
214
  return realloc(optr, size * nmemb);
215
}
216
#endif
217
218
static int   compare(const void *, const void *);
219
static int   compare_gps(const void *, const void *);
220
static int   g_Ctoc(const Char *, char *, size_t);
221
static int   g_lstat(Char *, zend_stat_t *, php_glob_t *);
222
static DIR  *g_opendir(Char *, php_glob_t *);
223
static Char *g_strchr(const Char *, int);
224
static int   g_strncmp(const Char *, const char *, size_t);
225
static int   g_stat(Char *, zend_stat_t *, php_glob_t *);
226
static int   glob0(const Char *, php_glob_t *, struct glob_lim *);
227
static int   glob1(Char *, Char *, php_glob_t *, struct glob_lim *);
228
static int   glob2(Char *, Char *, Char *, Char *, Char *, Char *,
229
        php_glob_t *, struct glob_lim *);
230
static int   glob3(Char *, Char *, Char *, Char *, Char *,
231
        Char *, Char *, php_glob_t *, struct glob_lim *);
232
static int   globextend(const Char *, php_glob_t *, struct glob_lim *,
233
        zend_stat_t *);
234
static const Char *globtilde(const Char *, Char *, size_t, php_glob_t *);
235
static int   globexp1(const Char *, php_glob_t *, struct glob_lim *);
236
static int   globexp2(const Char *, const Char *, php_glob_t *,
237
        struct glob_lim *);
238
static int   match(Char *, Char *, Char *);
239
#ifdef DEBUG
240
static void  qprintf(const char *, Char *);
241
#endif
242
243
PHPAPI int php_glob(const char *pattern, int flags, int (*errfunc)(const char *, int), php_glob_t *pglob)
244
0
{
245
0
  const uint8_t *patnext;
246
0
  int c;
247
0
  Char *bufnext, *bufend, patbuf[PATH_MAX];
248
0
  struct glob_lim limit = { 0, 0, 0 };
249
250
#ifdef PHP_WIN32
251
  /* Force skipping escape sequences on windows
252
   * due to the ambiguity with path backslashes
253
   */
254
  flags |= PHP_GLOB_NOESCAPE;
255
#endif
256
257
0
  patnext = (uint8_t *) pattern;
258
0
  if (!(flags & PHP_GLOB_APPEND)) {
259
0
    pglob->gl_pathc = 0;
260
0
    pglob->gl_pathv = NULL;
261
0
    pglob->gl_statv = NULL;
262
0
    if (!(flags & PHP_GLOB_DOOFFS))
263
0
      pglob->gl_offs = 0;
264
0
  }
265
0
  pglob->gl_flags = flags & ~PHP_GLOB_MAGCHAR;
266
0
  pglob->gl_errfunc = errfunc;
267
0
  pglob->gl_matchc = 0;
268
269
0
  if (strnlen(pattern, PATH_MAX) == PATH_MAX)
270
0
    return(PHP_GLOB_NOMATCH);
271
272
0
  if (pglob->gl_offs >= SSIZE_MAX || pglob->gl_pathc >= SSIZE_MAX ||
273
0
    pglob->gl_pathc >= SSIZE_MAX - pglob->gl_offs - 1)
274
0
    return PHP_GLOB_NOSPACE;
275
276
0
  bufnext = patbuf;
277
0
  bufend = bufnext + PATH_MAX - 1;
278
0
  if (flags & PHP_GLOB_NOESCAPE)
279
0
    while (bufnext < bufend && (c = *patnext++) != EOS)
280
0
      *bufnext++ = c;
281
0
  else {
282
    /* Protect the quoted characters. */
283
0
    while (bufnext < bufend && (c = *patnext++) != EOS)
284
0
      if (c == QUOTE) {
285
0
        if ((c = *patnext++) == EOS) {
286
0
          c = QUOTE;
287
0
          --patnext;
288
0
        }
289
0
        *bufnext++ = c | M_PROTECT;
290
0
      } else
291
0
        *bufnext++ = c;
292
0
  }
293
0
  *bufnext = EOS;
294
295
0
  if (flags & PHP_GLOB_BRACE)
296
0
    return globexp1(patbuf, pglob, &limit);
297
0
  else
298
0
    return glob0(patbuf, pglob, &limit);
299
0
}
300
301
/*
302
 * Expand recursively a glob {} pattern. When there is no more expansion
303
 * invoke the standard globbing routine to glob the rest of the magic
304
 * characters
305
 */
306
static int globexp1(const Char *pattern, php_glob_t *pglob, struct glob_lim *limitp)
307
0
{
308
0
  const Char* ptr = pattern;
309
310
  /* Protect a single {}, for find(1), like csh */
311
0
  if (pattern[0] == LBRACE && pattern[1] == RBRACE && pattern[2] == EOS)
312
0
    return glob0(pattern, pglob, limitp);
313
314
0
  if ((ptr = (const Char *) g_strchr(ptr, LBRACE)) != NULL)
315
0
    return globexp2(ptr, pattern, pglob, limitp);
316
317
0
  return glob0(pattern, pglob, limitp);
318
0
}
319
320
321
/*
322
 * Recursive brace globbing helper. Tries to expand a single brace.
323
 * If it succeeds then it invokes globexp1 with the new pattern.
324
 * If it fails then it tries to glob the rest of the pattern and returns.
325
 */
326
static int globexp2(const Char *ptr, const Char *pattern, php_glob_t *pglob, struct glob_lim *limitp)
327
0
{
328
0
  int     i, rv;
329
0
  Char   *lm, *ls;
330
0
  const Char *pe, *pm, *pl;
331
0
  Char    patbuf[PATH_MAX];
332
333
  /* copy part up to the brace */
334
0
  for (lm = patbuf, pm = pattern; pm != ptr; *lm++ = *pm++)
335
0
    ;
336
0
  *lm = EOS;
337
0
  ls = lm;
338
339
  /* Find the balanced brace */
340
0
  for (i = 0, pe = ++ptr; *pe; pe++)
341
0
    if (*pe == LBRACKET) {
342
      /* Ignore everything between [] */
343
0
      for (pm = pe++; *pe != RBRACKET && *pe != EOS; pe++)
344
0
        ;
345
0
      if (*pe == EOS) {
346
        /*
347
         * We could not find a matching RBRACKET.
348
         * Ignore and just look for RBRACE
349
         */
350
0
        pe = pm;
351
0
      }
352
0
    } else if (*pe == LBRACE)
353
0
      i++;
354
0
    else if (*pe == RBRACE) {
355
0
      if (i == 0)
356
0
        break;
357
0
      i--;
358
0
    }
359
360
  /* Non matching braces; just glob the pattern */
361
0
  if (i != 0 || *pe == EOS)
362
0
    return glob0(patbuf, pglob, limitp);
363
364
0
  for (i = 0, pl = pm = ptr; pm <= pe; pm++) {
365
0
    const Char *pb;
366
367
0
    switch (*pm) {
368
0
    case LBRACKET:
369
      /* Ignore everything between [] */
370
0
      for (pb = pm++; *pm != RBRACKET && *pm != EOS; pm++)
371
0
        ;
372
0
      if (*pm == EOS) {
373
        /*
374
         * We could not find a matching RBRACKET.
375
         * Ignore and just look for RBRACE
376
         */
377
0
        pm = pb;
378
0
      }
379
0
      break;
380
381
0
    case LBRACE:
382
0
      i++;
383
0
      break;
384
385
0
    case RBRACE:
386
0
      if (i) {
387
0
        i--;
388
0
        break;
389
0
      }
390
      /* FALLTHROUGH */
391
0
    case COMMA:
392
0
      if (i && *pm == COMMA)
393
0
        break;
394
0
      else {
395
        /* Append the current string */
396
0
        for (lm = ls; (pl < pm); *lm++ = *pl++)
397
0
          ;
398
399
        /*
400
         * Append the rest of the pattern after the
401
         * closing brace
402
         */
403
0
        for (pl = pe + 1; (*lm++ = *pl++) != EOS; )
404
0
          ;
405
406
        /* Expand the current pattern */
407
#ifdef DEBUG
408
        qprintf("globexp2:", patbuf);
409
#endif
410
0
        rv = globexp1(patbuf, pglob, limitp);
411
0
        if (rv && rv != PHP_GLOB_NOMATCH)
412
0
          return rv;
413
414
        /* move after the comma, to the next string */
415
0
        pl = pm + 1;
416
0
      }
417
0
      break;
418
419
0
    default:
420
0
      break;
421
0
    }
422
0
  }
423
0
  return 0;
424
0
}
425
426
427
428
/*
429
 * expand tilde from the passwd file.
430
 */
431
static const Char *globtilde(const Char *pattern, Char *patbuf, size_t patbuf_len, php_glob_t *pglob)
432
0
{
433
0
#ifndef PHP_WIN32
434
0
  struct passwd pwstore, *pwd = NULL;
435
0
  char pwbuf[_PW_BUF_LEN];
436
0
#endif
437
0
  char *h;
438
0
  const Char *p;
439
0
  Char *b, *eb;
440
441
0
  if (*pattern != TILDE || !(pglob->gl_flags & PHP_GLOB_TILDE))
442
0
    return pattern;
443
444
  /* Copy up to the end of the string or / */
445
0
  eb = &patbuf[patbuf_len - 1];
446
0
  for (p = pattern + 1, h = (char *) patbuf;
447
0
    h < (char *)eb && *p && *p != SLASH; *h++ = *p++)
448
0
    ;
449
450
0
  *h = EOS;
451
452
#if 0
453
  if (h == (char *)eb)
454
    return what;
455
#endif
456
457
0
  if (((char *) patbuf)[0] == EOS) {
458
0
#ifndef PHP_WIN32
459
    /*
460
     * handle a plain ~ or ~/ by expanding $HOME
461
     * first and then trying the password file
462
     */
463
#ifdef HAVE_ISSETUGID
464
    if (issetugid() != 0 || (h = getenv("HOME")) == NULL) {
465
#else
466
0
    if ((h = getenv("HOME")) == NULL) {
467
0
#endif
468
0
      getpwuid_r(getuid(), &pwstore, pwbuf, sizeof(pwbuf),
469
0
        &pwd);
470
0
      if (pwd == NULL)
471
0
        return pattern;
472
0
      else
473
0
        h = pwd->pw_dir;
474
0
    }
475
#else
476
    return pattern;
477
#endif
478
0
  } else {
479
    /*
480
     * Expand a ~user
481
     */
482
0
#ifndef PHP_WIN32
483
0
    getpwnam_r((char *)patbuf, &pwstore, pwbuf, sizeof(pwbuf),
484
0
      &pwd);
485
0
    if (pwd == NULL)
486
0
      return pattern;
487
0
    else
488
0
      h = pwd->pw_dir;
489
#else
490
    return pattern;
491
#endif
492
0
  }
493
494
  /* Copy the home directory */
495
0
  for (b = patbuf; b < eb && *h; *b++ = *h++)
496
0
    ;
497
498
  /* Append the rest of the pattern */
499
0
  while (b < eb && (*b++ = *p++) != EOS)
500
0
    ;
501
0
  *b = EOS;
502
503
0
  return patbuf;
504
0
}
505
506
static int g_strncmp(const Char *s1, const char *s2, size_t n)
507
0
{
508
0
  int rv = 0;
509
510
0
  while (n--) {
511
0
    rv = *(Char *)s1 - *(const unsigned char *)s2++;
512
0
    if (rv)
513
0
      break;
514
0
    if (*s1++ == '\0')
515
0
      break;
516
0
  }
517
0
  return rv;
518
0
}
519
520
static int g_charclass(const Char **patternp, Char **bufnextp)
521
0
{
522
0
  const Char *pattern = *patternp + 1;
523
0
  Char *bufnext = *bufnextp;
524
0
  const Char *colon;
525
0
  const struct cclass *cc;
526
0
  size_t len;
527
528
0
  if ((colon = g_strchr(pattern, ':')) == NULL || colon[1] != ']')
529
0
    return 1; /* not a character class */
530
531
0
  len = (size_t)(colon - pattern);
532
0
  for (cc = cclasses; cc->name != NULL; cc++) {
533
0
    if (!g_strncmp(pattern, cc->name, len) && cc->name[len] == '\0')
534
0
      break;
535
0
  }
536
0
  if (cc->name == NULL)
537
0
    return -1; /* invalid character class */
538
0
  *bufnext++ = M_CLASS;
539
0
  *bufnext++ = (Char)(cc - &cclasses[0]);
540
0
  *bufnextp = bufnext;
541
0
  *patternp += len + 3;
542
543
0
  return 0;
544
0
}
545
546
/*
547
 * The main glob() routine: compiles the pattern (optionally processing
548
 * quotes), calls glob1() to do the real pattern matching, and finally
549
 * sorts the list (unless unsorted operation is requested).  Returns 0
550
 * if things went well, nonzero if errors occurred.  It is not an error
551
 * to find no matches.
552
 */
553
static int glob0(const Char *pattern, php_glob_t *pglob, struct glob_lim *limitp)
554
0
{
555
0
  const Char *qpatnext;
556
0
  int c, err;
557
0
  size_t oldpathc;
558
0
  Char *bufnext, patbuf[PATH_MAX];
559
560
0
  qpatnext = globtilde(pattern, patbuf, PATH_MAX, pglob);
561
0
  oldpathc = pglob->gl_pathc;
562
0
  bufnext = patbuf;
563
564
  /* We don't need to check for buffer overflow any more. */
565
0
  while ((c = *qpatnext++) != EOS) {
566
0
    switch (c) {
567
0
    case LBRACKET:
568
0
      c = *qpatnext;
569
0
      if (c == NOT)
570
0
        ++qpatnext;
571
0
      if (*qpatnext == EOS ||
572
0
        g_strchr(qpatnext+1, RBRACKET) == NULL) {
573
0
        *bufnext++ = LBRACKET;
574
0
        if (c == NOT)
575
0
          --qpatnext;
576
0
        break;
577
0
      }
578
0
      *bufnext++ = M_SET;
579
0
      if (c == NOT)
580
0
        *bufnext++ = M_NOT;
581
0
      c = *qpatnext++;
582
0
      do {
583
0
        if (c == LBRACKET && *qpatnext == ':') {
584
0
          do {
585
0
            err = g_charclass(&qpatnext,
586
0
              &bufnext);
587
0
            if (err)
588
0
              break;
589
0
            c = *qpatnext++;
590
0
          } while (c == LBRACKET && *qpatnext == ':');
591
0
          if (err == -1 &&
592
0
            !(pglob->gl_flags & PHP_GLOB_NOCHECK))
593
0
            return PHP_GLOB_NOMATCH;
594
0
          if (c == RBRACKET)
595
0
            break;
596
0
        }
597
0
        *bufnext++ = CHAR(c);
598
0
        if (*qpatnext == RANGE &&
599
0
          (c = qpatnext[1]) != RBRACKET) {
600
0
          *bufnext++ = M_RNG;
601
0
          *bufnext++ = CHAR(c);
602
0
          qpatnext += 2;
603
0
        }
604
0
      } while ((c = *qpatnext++) != RBRACKET);
605
0
      pglob->gl_flags |= PHP_GLOB_MAGCHAR;
606
0
      *bufnext++ = M_END;
607
0
      break;
608
0
    case QUESTION:
609
0
      pglob->gl_flags |= PHP_GLOB_MAGCHAR;
610
0
      *bufnext++ = M_ONE;
611
0
      break;
612
0
    case STAR:
613
0
      pglob->gl_flags |= PHP_GLOB_MAGCHAR;
614
      /* collapse adjacent stars to one,
615
       * to avoid exponential behavior
616
       */
617
0
      if (bufnext == patbuf || bufnext[-1] != M_ALL)
618
0
        *bufnext++ = M_ALL;
619
0
      break;
620
0
    default:
621
0
      *bufnext++ = CHAR(c);
622
0
      break;
623
0
    }
624
0
  }
625
0
  *bufnext = EOS;
626
#ifdef DEBUG
627
  qprintf("glob0:", patbuf);
628
#endif
629
630
0
  if ((err = glob1(patbuf, patbuf+PATH_MAX-1, pglob, limitp)) != 0)
631
0
    return(err);
632
633
  /*
634
   * If there was no match we are going to append the pattern
635
   * if PHP_GLOB_NOCHECK was specified or if PHP_GLOB_NOMAGIC was specified
636
   * and the pattern did not contain any magic characters
637
   * PHP_GLOB_NOMAGIC is there just for compatibility with csh.
638
   */
639
0
  if (pglob->gl_pathc == oldpathc) {
640
0
    if ((pglob->gl_flags & PHP_GLOB_NOCHECK) ||
641
0
      ((pglob->gl_flags & PHP_GLOB_NOMAGIC) &&
642
0
      !(pglob->gl_flags & PHP_GLOB_MAGCHAR)))
643
0
      return(globextend(pattern, pglob, limitp, NULL));
644
0
    else
645
0
      return(PHP_GLOB_NOMATCH);
646
0
  }
647
0
  if (!(pglob->gl_flags & PHP_GLOB_NOSORT)) {
648
0
    if ((pglob->gl_flags & PHP_GLOB_KEEPSTAT)) {
649
      /* Keep the paths and stat info synced during sort */
650
0
      struct glob_path_stat *path_stat;
651
0
      size_t i;
652
0
      size_t n = pglob->gl_pathc - oldpathc;
653
0
      size_t o = pglob->gl_offs + oldpathc;
654
655
0
      if ((path_stat = calloc(n, sizeof(*path_stat))) == NULL)
656
0
        return PHP_GLOB_NOSPACE;
657
0
      for (i = 0; i < n; i++) {
658
0
        path_stat[i].gps_path = pglob->gl_pathv[o + i];
659
0
        path_stat[i].gps_stat = pglob->gl_statv[o + i];
660
0
      }
661
0
      qsort(path_stat, n, sizeof(*path_stat), compare_gps);
662
0
      for (i = 0; i < n; i++) {
663
0
        pglob->gl_pathv[o + i] = path_stat[i].gps_path;
664
0
        pglob->gl_statv[o + i] = path_stat[i].gps_stat;
665
0
      }
666
0
      free(path_stat);
667
0
    } else {
668
0
      qsort(pglob->gl_pathv + pglob->gl_offs + oldpathc,
669
0
        pglob->gl_pathc - oldpathc, sizeof(char *),
670
0
        compare);
671
0
    }
672
0
  }
673
0
  return(0);
674
0
}
675
676
static int compare(const void *p, const void *q)
677
0
{
678
0
  return(strcmp(*(char **)p, *(char **)q));
679
0
}
680
681
static int compare_gps(const void *_p, const void *_q)
682
0
{
683
0
  const struct glob_path_stat *p = (const struct glob_path_stat *)_p;
684
0
  const struct glob_path_stat *q = (const struct glob_path_stat *)_q;
685
686
0
  return(strcmp(p->gps_path, q->gps_path));
687
0
}
688
689
static int glob1(Char *pattern, Char *pattern_last, php_glob_t *pglob, struct glob_lim *limitp)
690
0
{
691
0
  Char pathbuf[PATH_MAX];
692
693
  /* A null pathname is invalid -- POSIX 1003.1 sect. 2.4. */
694
0
  if (*pattern == EOS)
695
0
    return(0);
696
0
  return(glob2(pathbuf, pathbuf+PATH_MAX-1,
697
0
    pathbuf, pathbuf+PATH_MAX-1,
698
0
    pattern, pattern_last, pglob, limitp));
699
0
}
700
701
/*
702
 * The functions glob2 and glob3 are mutually recursive; there is one level
703
 * of recursion for each segment in the pattern that contains one or more
704
 * meta characters.
705
 */
706
static int glob2(Char *pathbuf, Char *pathbuf_last, Char *pathend, Char *pathend_last, Char *pattern, Char *pattern_last, php_glob_t *pglob, struct glob_lim *limitp)
707
0
{
708
0
  zend_stat_t sb;
709
0
  Char *p, *q;
710
0
  int anymeta;
711
712
  /*
713
   * Loop over pattern segments until end of pattern or until
714
   * segment with meta character found.
715
   */
716
0
  for (anymeta = 0;;) {
717
0
    if (*pattern == EOS) {   /* End of pattern? */
718
0
      *pathend = EOS;
719
720
0
      if ((pglob->gl_flags & PHP_GLOB_LIMIT) &&
721
0
        limitp->glim_stat++ >= PHP_GLOB_LIMIT_STAT) {
722
0
        errno = 0;
723
0
        *pathend++ = SEP;
724
0
        *pathend = EOS;
725
0
        return(PHP_GLOB_NOSPACE);
726
0
      }
727
0
      if (g_lstat(pathbuf, &sb, pglob))
728
0
        return(0);
729
730
0
      if (((pglob->gl_flags & PHP_GLOB_MARK) &&
731
0
        pathend[-1] != SEP) && (S_ISDIR(sb.st_mode) ||
732
0
        (S_ISLNK(sb.st_mode) &&
733
0
        (g_stat(pathbuf, &sb, pglob) == 0) &&
734
0
        S_ISDIR(sb.st_mode)))) {
735
0
        if (pathend+1 > pathend_last)
736
0
          return (1);
737
0
        *pathend++ = SEP;
738
0
        *pathend = EOS;
739
0
      }
740
0
      ++pglob->gl_matchc;
741
0
      return(globextend(pathbuf, pglob, limitp, &sb));
742
0
    }
743
744
    /* Find end of next segment, copy tentatively to pathend. */
745
0
    q = pathend;
746
0
    p = pattern;
747
0
    while (*p != EOS && !IS_SLASH(*p)) {
748
0
      if (ismeta(*p))
749
0
        anymeta = 1;
750
0
      if (q+1 > pathend_last)
751
0
        return (1);
752
0
      *q++ = *p++;
753
0
    }
754
755
0
    if (!anymeta) {   /* No expansion, do next segment. */
756
0
      pathend = q;
757
0
      pattern = p;
758
0
      while (IS_SLASH(*pattern)) {
759
0
        if (pathend+1 > pathend_last)
760
0
          return (1);
761
0
        *pathend++ = *pattern++;
762
0
      }
763
0
    } else
764
      /* Need expansion, recurse. */
765
0
      return(glob3(pathbuf, pathbuf_last, pathend,
766
0
        pathend_last, pattern, p, pattern_last,
767
0
        pglob, limitp));
768
0
  }
769
  /* NOTREACHED */
770
0
}
771
772
static int glob3(Char *pathbuf, Char *pathbuf_last, Char *pathend, Char *pathend_last, Char *pattern, Char *restpattern, Char *restpattern_last, php_glob_t *pglob, struct glob_lim *limitp)
773
0
{
774
0
  struct dirent *dp;
775
0
  DIR *dirp;
776
0
  int err;
777
0
  char buf[PATH_MAX];
778
779
  /*
780
   * The readdirfunc declaration can't be prototyped, because it is
781
   * assigned, below, to two functions which are prototyped in glob.h
782
   * and dirent.h as taking pointers to differently typed opaque
783
   * structures.
784
   */
785
0
  struct dirent *(*readdirfunc)(void *);
786
787
0
  if (pathend > pathend_last)
788
0
    return (1);
789
0
  *pathend = EOS;
790
0
  errno = 0;
791
792
0
  if ((dirp = g_opendir(pathbuf, pglob)) == NULL) {
793
    /* TODO: don't call for ENOENT or ENOTDIR? */
794
0
    if (pglob->gl_errfunc) {
795
0
      if (g_Ctoc(pathbuf, buf, sizeof(buf)))
796
0
        return(PHP_GLOB_ABORTED);
797
0
      if (pglob->gl_errfunc(buf, errno) ||
798
0
        pglob->gl_flags & PHP_GLOB_ERR)
799
0
        return(PHP_GLOB_ABORTED);
800
0
    }
801
0
    return(0);
802
0
  }
803
804
0
  err = 0;
805
806
  /* Search directory for matching names. */
807
0
  if (pglob->gl_flags & PHP_GLOB_ALTDIRFUNC)
808
0
    readdirfunc = pglob->gl_readdir;
809
0
  else
810
0
    readdirfunc = (struct dirent *(*)(void *))readdir;
811
0
  while ((dp = (*readdirfunc)(dirp))) {
812
0
    uint8_t *sc;
813
0
    Char *dc;
814
815
0
    if ((pglob->gl_flags & PHP_GLOB_LIMIT) &&
816
0
      limitp->glim_readdir++ >= PHP_GLOB_LIMIT_READDIR) {
817
0
      errno = 0;
818
0
      *pathend++ = SEP;
819
0
      *pathend = EOS;
820
0
      err = PHP_GLOB_NOSPACE;
821
0
      break;
822
0
    }
823
824
    /* Initial DOT must be matched literally. */
825
0
    if (dp->d_name[0] == DOT && *pattern != DOT)
826
0
      continue;
827
0
    dc = pathend;
828
0
    sc = (uint8_t *) dp->d_name;
829
0
    while (dc < pathend_last && (*dc++ = *sc++) != EOS)
830
0
      ;
831
0
    if (dc >= pathend_last) {
832
0
      *dc = EOS;
833
0
      err = 1;
834
0
      break;
835
0
    }
836
837
0
    if (!match(pathend, pattern, restpattern)) {
838
0
      *pathend = EOS;
839
0
      continue;
840
0
    }
841
0
    err = glob2(pathbuf, pathbuf_last, --dc, pathend_last,
842
0
      restpattern, restpattern_last, pglob, limitp);
843
0
    if (err)
844
0
      break;
845
0
  }
846
847
0
  if (pglob->gl_flags & PHP_GLOB_ALTDIRFUNC)
848
0
    (*pglob->gl_closedir)(dirp);
849
0
  else
850
0
    closedir(dirp);
851
0
  return(err);
852
0
}
853
854
855
/*
856
 * Extend the gl_pathv member of a php_glob_t structure to accommodate a new item,
857
 * add the new item, and update gl_pathc.
858
 *
859
 * This assumes the BSD realloc, which only copies the block when its size
860
 * crosses a power-of-two boundary; for v7 realloc, this would cause quadratic
861
 * behavior.
862
 *
863
 * Return 0 if new item added, error code if memory couldn't be allocated.
864
 *
865
 * Invariant of the php_glob_t structure:
866
 *  Either gl_pathc is zero and gl_pathv is NULL; or gl_pathc > 0 and
867
 *  gl_pathv points to (gl_offs + gl_pathc + 1) items.
868
 */
869
static int globextend(const Char *path, php_glob_t *pglob, struct glob_lim *limitp, zend_stat_t *sb)
870
0
{
871
0
  char **pathv;
872
0
  size_t i, newn, len;
873
0
  char *copy = NULL;
874
0
  const Char *p;
875
0
  zend_stat_t **statv;
876
877
0
  newn = 2 + pglob->gl_pathc + pglob->gl_offs;
878
0
  if (pglob->gl_offs >= SSIZE_MAX ||
879
0
    pglob->gl_pathc >= SSIZE_MAX ||
880
0
    newn >= SSIZE_MAX ||
881
0
    SIZE_MAX / sizeof(*pathv) <= newn ||
882
0
    SIZE_MAX / sizeof(*statv) <= newn) {
883
0
 nospace:
884
0
    for (i = pglob->gl_offs; i < newn - 2; i++) {
885
0
      if (pglob->gl_pathv && pglob->gl_pathv[i])
886
0
        free(pglob->gl_pathv[i]);
887
0
      if ((pglob->gl_flags & PHP_GLOB_KEEPSTAT) != 0 &&
888
0
        pglob->gl_pathv && pglob->gl_pathv[i])
889
0
        free(pglob->gl_statv[i]);
890
0
    }
891
0
    free(pglob->gl_pathv);
892
0
    pglob->gl_pathv = NULL;
893
0
    free(pglob->gl_statv);
894
0
    pglob->gl_statv = NULL;
895
0
    return(PHP_GLOB_NOSPACE);
896
0
  }
897
898
0
  pathv = reallocarray(pglob->gl_pathv, newn, sizeof(*pathv));
899
0
  if (pathv == NULL)
900
0
    goto nospace;
901
0
  if (pglob->gl_pathv == NULL && pglob->gl_offs > 0) {
902
    /* first time around -- clear initial gl_offs items */
903
0
    pathv += pglob->gl_offs;
904
0
    for (i = pglob->gl_offs; i > 0; i--)
905
0
      *--pathv = NULL;
906
0
  }
907
0
  pglob->gl_pathv = pathv;
908
909
0
  if ((pglob->gl_flags & PHP_GLOB_KEEPSTAT) != 0) {
910
0
    statv = reallocarray(pglob->gl_statv, newn, sizeof(*statv));
911
0
    if (statv == NULL)
912
0
      goto nospace;
913
0
    if (pglob->gl_statv == NULL && pglob->gl_offs > 0) {
914
      /* first time around -- clear initial gl_offs items */
915
0
      statv += pglob->gl_offs;
916
0
      for (i = pglob->gl_offs; i > 0; i--)
917
0
        *--statv = NULL;
918
0
    }
919
0
    pglob->gl_statv = statv;
920
0
    if (sb == NULL)
921
0
      statv[pglob->gl_offs + pglob->gl_pathc] = NULL;
922
0
    else {
923
0
      limitp->glim_malloc += sizeof(**statv);
924
0
      if ((pglob->gl_flags & PHP_GLOB_LIMIT) &&
925
0
        limitp->glim_malloc >= PHP_GLOB_LIMIT_MALLOC) {
926
0
        errno = 0;
927
0
        return(PHP_GLOB_NOSPACE);
928
0
      }
929
0
      if ((statv[pglob->gl_offs + pglob->gl_pathc] =
930
0
        malloc(sizeof(**statv))) == NULL)
931
0
        goto copy_error;
932
0
      memcpy(statv[pglob->gl_offs + pglob->gl_pathc], sb,
933
0
        sizeof(*sb));
934
0
    }
935
0
    statv[pglob->gl_offs + pglob->gl_pathc + 1] = NULL;
936
0
  }
937
938
0
  for (p = path; *p++;)
939
0
    ;
940
0
  len = (size_t)(p - path);
941
0
  limitp->glim_malloc += len;
942
0
  if ((copy = malloc(len)) != NULL) {
943
0
    if (g_Ctoc(path, copy, len)) {
944
0
      free(copy);
945
0
      return(PHP_GLOB_NOSPACE);
946
0
    }
947
0
    pathv[pglob->gl_offs + pglob->gl_pathc++] = copy;
948
0
  }
949
0
  pathv[pglob->gl_offs + pglob->gl_pathc] = NULL;
950
951
0
  if ((pglob->gl_flags & PHP_GLOB_LIMIT) &&
952
0
    (newn * sizeof(*pathv)) + limitp->glim_malloc >
953
0
    PHP_GLOB_LIMIT_MALLOC) {
954
0
    errno = 0;
955
0
    return(PHP_GLOB_NOSPACE);
956
0
  }
957
0
 copy_error:
958
0
  return(copy == NULL ? PHP_GLOB_NOSPACE : 0);
959
0
}
960
961
962
/*
963
 * pattern matching function for filenames.  Each occurrence of the *
964
 * pattern causes an iteration.
965
 *
966
 * Note, this function differs from the original as per the discussion
967
 * here: https://research.swtch.com/glob
968
 *
969
 * Basically we removed the recursion and made it use the algorithm
970
 * from Russ Cox to not go quadratic on cases like a file called
971
 * ("a" x 100) . "x" matched against a pattern like "a*a*a*a*a*a*a*y".
972
 */
973
static int match(Char *name, Char *pat, Char *patend)
974
0
{
975
0
  int ok, negate_range;
976
0
  Char c, k;
977
0
  Char *nextp = NULL;
978
0
  Char *nextn = NULL;
979
980
0
loop:
981
0
  while (pat < patend) {
982
0
    c = *pat++;
983
0
    switch (c & M_MASK) {
984
0
    case M_ALL:
985
0
      while (pat < patend && (*pat & M_MASK) == M_ALL)
986
0
        pat++; /* eat consecutive '*' */
987
0
      if (pat == patend)
988
0
        return(1);
989
0
      if (*name == EOS)
990
0
        return(0);
991
0
      nextn = name + 1;
992
0
      nextp = pat - 1;
993
0
      break;
994
0
    case M_ONE:
995
0
      if (*name++ == EOS)
996
0
        goto fail;
997
0
      break;
998
0
    case M_SET:
999
0
      ok = 0;
1000
0
      if ((k = *name++) == EOS)
1001
0
        goto fail;
1002
0
      if ((negate_range = ((*pat & M_MASK) == M_NOT)) != EOS)
1003
0
        ++pat;
1004
0
      while (((c = *pat++) & M_MASK) != M_END) {
1005
0
        if ((c & M_MASK) == M_CLASS) {
1006
0
          Char idx = *pat & M_MASK;
1007
0
          if (idx < NCCLASSES &&
1008
0
            cclasses[idx].isctype(k))
1009
0
            ok = 1;
1010
0
          ++pat;
1011
0
        }
1012
0
        if ((*pat & M_MASK) == M_RNG) {
1013
0
          if (c <= k && k <= pat[1])
1014
0
            ok = 1;
1015
0
          pat += 2;
1016
0
        } else if (c == k)
1017
0
          ok = 1;
1018
0
      }
1019
0
      if (ok == negate_range)
1020
0
        goto fail;
1021
0
      break;
1022
0
    default:
1023
0
      if (*name++ != c)
1024
0
        goto fail;
1025
0
      break;
1026
0
    }
1027
0
  }
1028
0
  if (*name == EOS)
1029
0
    return(1);
1030
1031
0
fail:
1032
0
  if (nextn) {
1033
0
    pat = nextp;
1034
0
    name = nextn;
1035
0
    goto loop;
1036
0
  }
1037
0
  return(0);
1038
0
}
1039
1040
/* Free allocated data belonging to a php_glob_t structure. */
1041
PHPAPI void php_globfree(php_glob_t *pglob)
1042
0
{
1043
0
  size_t i;
1044
0
  char **pp;
1045
1046
0
  if (pglob->gl_pathv != NULL) {
1047
0
    pp = pglob->gl_pathv + pglob->gl_offs;
1048
0
    for (i = pglob->gl_pathc; i--; ++pp)
1049
0
      free(*pp);
1050
0
    free(pglob->gl_pathv);
1051
0
    pglob->gl_pathv = NULL;
1052
0
  }
1053
0
  if (pglob->gl_statv != NULL) {
1054
0
    for (i = 0; i < pglob->gl_pathc; i++) {
1055
0
      free(pglob->gl_statv[i]);
1056
0
    }
1057
0
    free(pglob->gl_statv);
1058
0
    pglob->gl_statv = NULL;
1059
0
  }
1060
0
}
1061
1062
static DIR *g_opendir(Char *str, php_glob_t *pglob)
1063
0
{
1064
0
  char buf[PATH_MAX];
1065
1066
0
  if (!*str)
1067
0
    strlcpy(buf, ".", sizeof buf);
1068
0
  else {
1069
0
    if (g_Ctoc(str, buf, sizeof(buf)))
1070
0
      return(NULL);
1071
0
  }
1072
1073
0
  if (pglob->gl_flags & PHP_GLOB_ALTDIRFUNC)
1074
0
    return((*pglob->gl_opendir)(buf));
1075
1076
0
  return(opendir(buf));
1077
0
}
1078
1079
static int g_lstat(Char *fn, zend_stat_t *sb, php_glob_t *pglob)
1080
0
{
1081
0
  char buf[PATH_MAX];
1082
1083
0
  if (g_Ctoc(fn, buf, sizeof(buf)))
1084
0
    return(-1);
1085
0
  if (pglob->gl_flags & PHP_GLOB_ALTDIRFUNC)
1086
0
    return((*pglob->gl_lstat)(buf, sb));
1087
0
  return(php_sys_lstat(buf, sb));
1088
0
}
1089
1090
static int g_stat(Char *fn, zend_stat_t *sb, php_glob_t *pglob)
1091
0
{
1092
0
  char buf[PATH_MAX];
1093
1094
0
  if (g_Ctoc(fn, buf, sizeof(buf)))
1095
0
    return(-1);
1096
0
  if (pglob->gl_flags & PHP_GLOB_ALTDIRFUNC)
1097
0
    return((*pglob->gl_stat)(buf, sb));
1098
0
  return(php_sys_stat(buf, sb));
1099
0
}
1100
1101
static Char *g_strchr(const Char *str, int ch)
1102
0
{
1103
0
  do {
1104
0
    if (*str == ch)
1105
0
      return ((Char *)str);
1106
0
  } while (*str++);
1107
0
  return (NULL);
1108
0
}
1109
1110
static int g_Ctoc(const Char *str, char *buf, size_t len)
1111
0
{
1112
1113
0
  while (len--) {
1114
0
    if ((*buf++ = *str++) == EOS)
1115
0
      return (0);
1116
0
  }
1117
0
  return (1);
1118
0
}
1119
1120
#ifdef DEBUG
1121
static void qprintf(const char *str, Char *s)
1122
{
1123
  Char *p;
1124
1125
  (void)printf("%s:\n", str);
1126
  for (p = s; *p; p++)
1127
    (void)printf("%c", CHAR(*p));
1128
  (void)printf("\n");
1129
  for (p = s; *p; p++)
1130
    (void)printf("%c", *p & M_PROTECT ? '"' : ' ');
1131
  (void)printf("\n");
1132
  for (p = s; *p; p++)
1133
    (void)printf("%c", ismeta(*p) ? '_' : ' ');
1134
  (void)printf("\n");
1135
}
1136
#endif
1137
1138
#endif /* defined(HAVE_GLOB) */