-= CVE-2006-6652 =-

Vulnerable versions: libc in NetBSD-current before 20050914, 
                     NetBSD 2.* and 3.* before 20061203
File(s): src/lib/libc/gen/glob.c
Download from:
 To get the original file, do the following (using bash):
  $ CVSROOT=:pserver:anoncvs@anoncvs.NetBSD.org:/cvsroot; export CVSROOT
  $ cvs login
     ---> use the password "anoncvs"
  $ cvs co -D 2005-09-13 src/lib/libc/gen/glob.c
 If NetBSD has changed their anonymouns cvs checkout procedures since
 the time of this writing, visit 
 http://www.netbsd.org/Documentation/current/#using-anoncvs-pserver
 for instructions.
  
Domain: C library

_ Vulnerable Functions and Buffers _

glob1() passes a buffer, pathbuf, to glob2(). glob1() also passes a
pointer, pathlim, which is meant to point to the end of pathbuf, for
glob2() and glob3() to use for bounds checking. pathlim is computed
incorrectly, so multiple instructions in glob2() and glob3() can
overflow pathbuf.

_ Decomposed Programs _

glob.h

glob1/
  bounds_bad.c

glob2/
  loop_bad.c
  noAnyMeta_int_bad.c
  noAnyMeta_ptr_bad.c
  anyMeta_int_bad.c
  anyMeta_ptr_bad.c
  glob2_int_bad.c
  glob2_ptr_bad.c

glob3/
  loop_int_bad.c
  loop_ptr_bad.c
  glob3_int_bad.c
  glob3_ptr_bad.c
