xref: /freebsd/lib/libc/gen/glob.c (revision 8d59ecb214f7e078e57d35b865f33efc5d7cdf4d)
1 /*
2  * Copyright (c) 1989, 1993
3  *	The Regents of the University of California.  All rights reserved.
4  *
5  * This code is derived from software contributed to Berkeley by
6  * Guido van Rossum.
7  *
8  * Copyright (c) 2011 The FreeBSD Foundation
9  * All rights reserved.
10  * Portions of this software were developed by David Chisnall
11  * under sponsorship from the FreeBSD Foundation.
12  *
13  * Redistribution and use in source and binary forms, with or without
14  * modification, are permitted provided that the following conditions
15  * are met:
16  * 1. Redistributions of source code must retain the above copyright
17  *    notice, this list of conditions and the following disclaimer.
18  * 2. Redistributions in binary form must reproduce the above copyright
19  *    notice, this list of conditions and the following disclaimer in the
20  *    documentation and/or other materials provided with the distribution.
21  * 4. Neither the name of the University nor the names of its contributors
22  *    may be used to endorse or promote products derived from this software
23  *    without specific prior written permission.
24  *
25  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
26  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
27  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
28  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
29  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
30  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
31  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
32  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
33  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
34  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
35  * SUCH DAMAGE.
36  */
37 
38 #if defined(LIBC_SCCS) && !defined(lint)
39 static char sccsid[] = "@(#)glob.c	8.3 (Berkeley) 10/13/93";
40 #endif /* LIBC_SCCS and not lint */
41 #include <sys/cdefs.h>
42 __FBSDID("$FreeBSD$");
43 
44 /*
45  * glob(3) -- a superset of the one defined in POSIX 1003.2.
46  *
47  * The [!...] convention to negate a range is supported (SysV, Posix, ksh).
48  *
49  * Optional extra services, controlled by flags not defined by POSIX:
50  *
51  * GLOB_QUOTE:
52  *	Escaping convention: \ inhibits any special meaning the following
53  *	character might have (except \ at end of string is retained).
54  * GLOB_MAGCHAR:
55  *	Set in gl_flags if pattern contained a globbing character.
56  * GLOB_NOMAGIC:
57  *	Same as GLOB_NOCHECK, but it will only append pattern if it did
58  *	not contain any magic characters.  [Used in csh style globbing]
59  * GLOB_ALTDIRFUNC:
60  *	Use alternately specified directory access functions.
61  * GLOB_TILDE:
62  *	expand ~user/foo to the /home/dir/of/user/foo
63  * GLOB_BRACE:
64  *	expand {1,2}{a,b} to 1a 1b 2a 2b
65  * gl_matchc:
66  *	Number of matches in the current invocation of glob.
67  */
68 
69 /*
70  * Some notes on multibyte character support:
71  * 1. Patterns with illegal byte sequences match nothing - even if
72  *    GLOB_NOCHECK is specified.
73  * 2. Illegal byte sequences in filenames are handled by treating them as
74  *    single-byte characters with a value of the first byte of the sequence
75  *    cast to wchar_t.
76  * 3. State-dependent encodings are not currently supported.
77  */
78 
79 #include <sys/param.h>
80 #include <sys/stat.h>
81 
82 #include <ctype.h>
83 #include <dirent.h>
84 #include <errno.h>
85 #include <glob.h>
86 #include <limits.h>
87 #include <pwd.h>
88 #include <stdint.h>
89 #include <stdio.h>
90 #include <stdlib.h>
91 #include <string.h>
92 #include <unistd.h>
93 #include <wchar.h>
94 
95 #include "collate.h"
96 
97 /*
98  * glob(3) expansion limits. Stop the expansion if any of these limits
99  * is reached. This caps the runtime in the face of DoS attacks. See
100  * also CVE-2010-2632
101  */
102 #define	GLOB_LIMIT_BRACE	128	/* number of brace calls */
103 #define	GLOB_LIMIT_PATH		65536	/* number of path elements */
104 #define	GLOB_LIMIT_READDIR	16384	/* number of readdirs */
105 #define	GLOB_LIMIT_STAT		1024	/* number of stat system calls */
106 #define	GLOB_LIMIT_STRING	ARG_MAX	/* maximum total size for paths */
107 
108 struct glob_limit {
109 	size_t	l_brace_cnt;
110 	size_t	l_path_lim;
111 	size_t	l_readdir_cnt;
112 	size_t	l_stat_cnt;
113 	size_t	l_string_cnt;
114 };
115 
116 #define	DOLLAR		'$'
117 #define	DOT		'.'
118 #define	EOS		'\0'
119 #define	LBRACKET	'['
120 #define	NOT		'!'
121 #define	QUESTION	'?'
122 #define	QUOTE		'\\'
123 #define	RANGE		'-'
124 #define	RBRACKET	']'
125 #define	SEP		'/'
126 #define	STAR		'*'
127 #define	TILDE		'~'
128 #define	UNDERSCORE	'_'
129 #define	LBRACE		'{'
130 #define	RBRACE		'}'
131 #define	SLASH		'/'
132 #define	COMMA		','
133 
134 #ifndef DEBUG
135 
136 #define	M_QUOTE		0x8000000000ULL
137 #define	M_PROTECT	0x4000000000ULL
138 #define	M_MASK		0xffffffffffULL
139 #define	M_CHAR		0x00ffffffffULL
140 
141 typedef uint_fast64_t Char;
142 
143 #else
144 
145 #define	M_QUOTE		0x80
146 #define	M_PROTECT	0x40
147 #define	M_MASK		0xff
148 #define	M_CHAR		0x7f
149 
150 typedef char Char;
151 
152 #endif
153 
154 
155 #define	CHAR(c)		((Char)((c)&M_CHAR))
156 #define	META(c)		((Char)((c)|M_QUOTE))
157 #define	M_ALL		META('*')
158 #define	M_END		META(']')
159 #define	M_NOT		META('!')
160 #define	M_ONE		META('?')
161 #define	M_RNG		META('-')
162 #define	M_SET		META('[')
163 #define	ismeta(c)	(((c)&M_QUOTE) != 0)
164 
165 
166 static int	 compare(const void *, const void *);
167 static int	 g_Ctoc(const Char *, char *, size_t);
168 static int	 g_lstat(Char *, struct stat *, glob_t *);
169 static DIR	*g_opendir(Char *, glob_t *);
170 static const Char *g_strchr(const Char *, wchar_t);
171 #ifdef notdef
172 static Char	*g_strcat(Char *, const Char *);
173 #endif
174 static int	 g_stat(Char *, struct stat *, glob_t *);
175 static int	 glob0(const Char *, glob_t *, struct glob_limit *);
176 static int	 glob1(Char *, glob_t *, struct glob_limit *);
177 static int	 glob2(Char *, Char *, Char *, Char *, glob_t *,
178     struct glob_limit *);
179 static int	 glob3(Char *, Char *, Char *, Char *, Char *, glob_t *,
180     struct glob_limit *);
181 static int	 globextend(const Char *, glob_t *, struct glob_limit *);
182 static const Char *
183 		 globtilde(const Char *, Char *, size_t, glob_t *);
184 static int	 globexp1(const Char *, glob_t *, struct glob_limit *);
185 static int	 globexp2(const Char *, const Char *, glob_t *, int *,
186     struct glob_limit *);
187 static int	 match(Char *, Char *, Char *);
188 #ifdef DEBUG
189 static void	 qprintf(const char *, Char *);
190 #endif
191 
192 int
193 glob(const char * __restrict pattern, int flags,
194 	 int (*errfunc)(const char *, int), glob_t * __restrict pglob)
195 {
196 	struct glob_limit limit = { 0, 0, 0, 0, 0 };
197 	const char *patnext;
198 	Char *bufnext, *bufend, patbuf[MAXPATHLEN], prot;
199 	mbstate_t mbs;
200 	wchar_t wc;
201 	size_t clen;
202 
203 	patnext = pattern;
204 	if (!(flags & GLOB_APPEND)) {
205 		pglob->gl_pathc = 0;
206 		pglob->gl_pathv = NULL;
207 		if (!(flags & GLOB_DOOFFS))
208 			pglob->gl_offs = 0;
209 	}
210 	if (flags & GLOB_LIMIT) {
211 		limit.l_path_lim = pglob->gl_matchc;
212 		if (limit.l_path_lim == 0)
213 			limit.l_path_lim = GLOB_LIMIT_PATH;
214 	}
215 	pglob->gl_flags = flags & ~GLOB_MAGCHAR;
216 	pglob->gl_errfunc = errfunc;
217 	pglob->gl_matchc = 0;
218 
219 	bufnext = patbuf;
220 	bufend = bufnext + MAXPATHLEN - 1;
221 	if (flags & GLOB_NOESCAPE) {
222 		memset(&mbs, 0, sizeof(mbs));
223 		while (bufend - bufnext >= MB_CUR_MAX) {
224 			clen = mbrtowc(&wc, patnext, MB_LEN_MAX, &mbs);
225 			if (clen == (size_t)-1 || clen == (size_t)-2)
226 				return (GLOB_NOMATCH);
227 			else if (clen == 0)
228 				break;
229 			*bufnext++ = wc;
230 			patnext += clen;
231 		}
232 	} else {
233 		/* Protect the quoted characters. */
234 		memset(&mbs, 0, sizeof(mbs));
235 		while (bufend - bufnext >= MB_CUR_MAX) {
236 			if (*patnext == QUOTE) {
237 				if (*++patnext == EOS) {
238 					*bufnext++ = QUOTE | M_PROTECT;
239 					continue;
240 				}
241 				prot = M_PROTECT;
242 			} else
243 				prot = 0;
244 			clen = mbrtowc(&wc, patnext, MB_LEN_MAX, &mbs);
245 			if (clen == (size_t)-1 || clen == (size_t)-2)
246 				return (GLOB_NOMATCH);
247 			else if (clen == 0)
248 				break;
249 			*bufnext++ = wc | prot;
250 			patnext += clen;
251 		}
252 	}
253 	*bufnext = EOS;
254 
255 	if (flags & GLOB_BRACE)
256 	    return (globexp1(patbuf, pglob, &limit));
257 	else
258 	    return (glob0(patbuf, pglob, &limit));
259 }
260 
261 /*
262  * Expand recursively a glob {} pattern. When there is no more expansion
263  * invoke the standard globbing routine to glob the rest of the magic
264  * characters
265  */
266 static int
267 globexp1(const Char *pattern, glob_t *pglob, struct glob_limit *limit)
268 {
269 	const Char* ptr = pattern;
270 	int rv;
271 
272 	if ((pglob->gl_flags & GLOB_LIMIT) &&
273 	    limit->l_brace_cnt++ >= GLOB_LIMIT_BRACE) {
274 		errno = 0;
275 		return (GLOB_NOSPACE);
276 	}
277 
278 	/* Protect a single {}, for find(1), like csh */
279 	if (pattern[0] == LBRACE && pattern[1] == RBRACE && pattern[2] == EOS)
280 		return glob0(pattern, pglob, limit);
281 
282 	while ((ptr = g_strchr(ptr, LBRACE)) != NULL)
283 		if (!globexp2(ptr, pattern, pglob, &rv, limit))
284 			return rv;
285 
286 	return glob0(pattern, pglob, limit);
287 }
288 
289 
290 /*
291  * Recursive brace globbing helper. Tries to expand a single brace.
292  * If it succeeds then it invokes globexp1 with the new pattern.
293  * If it fails then it tries to glob the rest of the pattern and returns.
294  */
295 static int
296 globexp2(const Char *ptr, const Char *pattern, glob_t *pglob, int *rv,
297     struct glob_limit *limit)
298 {
299 	int     i;
300 	Char   *lm, *ls;
301 	const Char *pe, *pm, *pm1, *pl;
302 	Char    patbuf[MAXPATHLEN];
303 
304 	/* copy part up to the brace */
305 	for (lm = patbuf, pm = pattern; pm != ptr; *lm++ = *pm++)
306 		continue;
307 	*lm = EOS;
308 	ls = lm;
309 
310 	/* Find the balanced brace */
311 	for (i = 0, pe = ++ptr; *pe; pe++)
312 		if (*pe == LBRACKET) {
313 			/* Ignore everything between [] */
314 			for (pm = pe++; *pe != RBRACKET && *pe != EOS; pe++)
315 				continue;
316 			if (*pe == EOS) {
317 				/*
318 				 * We could not find a matching RBRACKET.
319 				 * Ignore and just look for RBRACE
320 				 */
321 				pe = pm;
322 			}
323 		}
324 		else if (*pe == LBRACE)
325 			i++;
326 		else if (*pe == RBRACE) {
327 			if (i == 0)
328 				break;
329 			i--;
330 		}
331 
332 	/* Non matching braces; just glob the pattern */
333 	if (i != 0 || *pe == EOS) {
334 		*rv = glob0(patbuf, pglob, limit);
335 		return (0);
336 	}
337 
338 	for (i = 0, pl = pm = ptr; pm <= pe; pm++)
339 		switch (*pm) {
340 		case LBRACKET:
341 			/* Ignore everything between [] */
342 			for (pm1 = pm++; *pm != RBRACKET && *pm != EOS; pm++)
343 				continue;
344 			if (*pm == EOS) {
345 				/*
346 				 * We could not find a matching RBRACKET.
347 				 * Ignore and just look for RBRACE
348 				 */
349 				pm = pm1;
350 			}
351 			break;
352 
353 		case LBRACE:
354 			i++;
355 			break;
356 
357 		case RBRACE:
358 			if (i) {
359 			    i--;
360 			    break;
361 			}
362 			/* FALLTHROUGH */
363 		case COMMA:
364 			if (i && *pm == COMMA)
365 				break;
366 			else {
367 				/* Append the current string */
368 				for (lm = ls; (pl < pm); *lm++ = *pl++)
369 					continue;
370 				/*
371 				 * Append the rest of the pattern after the
372 				 * closing brace
373 				 */
374 				for (pl = pe + 1; (*lm++ = *pl++) != EOS;)
375 					continue;
376 
377 				/* Expand the current pattern */
378 #ifdef DEBUG
379 				qprintf("globexp2:", patbuf);
380 #endif
381 				*rv = globexp1(patbuf, pglob, limit);
382 
383 				/* move after the comma, to the next string */
384 				pl = pm + 1;
385 			}
386 			break;
387 
388 		default:
389 			break;
390 		}
391 	*rv = 0;
392 	return (0);
393 }
394 
395 
396 
397 /*
398  * expand tilde from the passwd file.
399  */
400 static const Char *
401 globtilde(const Char *pattern, Char *patbuf, size_t patbuf_len, glob_t *pglob)
402 {
403 	struct passwd *pwd;
404 	char *h;
405 	const Char *p;
406 	Char *b, *eb;
407 
408 	if (*pattern != TILDE || !(pglob->gl_flags & GLOB_TILDE))
409 		return (pattern);
410 
411 	/*
412 	 * Copy up to the end of the string or /
413 	 */
414 	eb = &patbuf[patbuf_len - 1];
415 	for (p = pattern + 1, h = (char *) patbuf;
416 	    h < (char *)eb && *p && *p != SLASH; *h++ = *p++)
417 		continue;
418 
419 	*h = EOS;
420 
421 	if (((char *) patbuf)[0] == EOS) {
422 		/*
423 		 * handle a plain ~ or ~/ by expanding $HOME first (iff
424 		 * we're not running setuid or setgid) and then trying
425 		 * the password file
426 		 */
427 		if (issetugid() != 0 ||
428 		    (h = getenv("HOME")) == NULL) {
429 			if (((h = getlogin()) != NULL &&
430 			     (pwd = getpwnam(h)) != NULL) ||
431 			    (pwd = getpwuid(getuid())) != NULL)
432 				h = pwd->pw_dir;
433 			else
434 				return (pattern);
435 		}
436 	}
437 	else {
438 		/*
439 		 * Expand a ~user
440 		 */
441 		if ((pwd = getpwnam((char*) patbuf)) == NULL)
442 			return (pattern);
443 		else
444 			h = pwd->pw_dir;
445 	}
446 
447 	/* Copy the home directory */
448 	for (b = patbuf; b < eb && *h; *b++ = *h++)
449 		continue;
450 
451 	/* Append the rest of the pattern */
452 	while (b < eb && (*b++ = *p++) != EOS)
453 		continue;
454 	*b = EOS;
455 
456 	return (patbuf);
457 }
458 
459 
460 /*
461  * The main glob() routine: compiles the pattern (optionally processing
462  * quotes), calls glob1() to do the real pattern matching, and finally
463  * sorts the list (unless unsorted operation is requested).  Returns 0
464  * if things went well, nonzero if errors occurred.
465  */
466 static int
467 glob0(const Char *pattern, glob_t *pglob, struct glob_limit *limit)
468 {
469 	const Char *qpatnext;
470 	int err;
471 	size_t oldpathc;
472 	Char *bufnext, c, patbuf[MAXPATHLEN];
473 
474 	qpatnext = globtilde(pattern, patbuf, MAXPATHLEN, pglob);
475 	oldpathc = pglob->gl_pathc;
476 	bufnext = patbuf;
477 
478 	/* We don't need to check for buffer overflow any more. */
479 	while ((c = *qpatnext++) != EOS) {
480 		switch (c) {
481 		case LBRACKET:
482 			c = *qpatnext;
483 			if (c == NOT)
484 				++qpatnext;
485 			if (*qpatnext == EOS ||
486 			    g_strchr(qpatnext+1, RBRACKET) == NULL) {
487 				*bufnext++ = LBRACKET;
488 				if (c == NOT)
489 					--qpatnext;
490 				break;
491 			}
492 			*bufnext++ = M_SET;
493 			if (c == NOT)
494 				*bufnext++ = M_NOT;
495 			c = *qpatnext++;
496 			do {
497 				*bufnext++ = CHAR(c);
498 				if (*qpatnext == RANGE &&
499 				    (c = qpatnext[1]) != RBRACKET) {
500 					*bufnext++ = M_RNG;
501 					*bufnext++ = CHAR(c);
502 					qpatnext += 2;
503 				}
504 			} while ((c = *qpatnext++) != RBRACKET);
505 			pglob->gl_flags |= GLOB_MAGCHAR;
506 			*bufnext++ = M_END;
507 			break;
508 		case QUESTION:
509 			pglob->gl_flags |= GLOB_MAGCHAR;
510 			*bufnext++ = M_ONE;
511 			break;
512 		case STAR:
513 			pglob->gl_flags |= GLOB_MAGCHAR;
514 			/* collapse adjacent stars to one,
515 			 * to avoid exponential behavior
516 			 */
517 			if (bufnext == patbuf || bufnext[-1] != M_ALL)
518 			    *bufnext++ = M_ALL;
519 			break;
520 		default:
521 			*bufnext++ = CHAR(c);
522 			break;
523 		}
524 	}
525 	*bufnext = EOS;
526 #ifdef DEBUG
527 	qprintf("glob0:", patbuf);
528 #endif
529 
530 	if ((err = glob1(patbuf, pglob, limit)) != 0)
531 		return(err);
532 
533 	/*
534 	 * If there was no match we are going to append the pattern
535 	 * if GLOB_NOCHECK was specified or if GLOB_NOMAGIC was specified
536 	 * and the pattern did not contain any magic characters
537 	 * GLOB_NOMAGIC is there just for compatibility with csh.
538 	 */
539 	if (pglob->gl_pathc == oldpathc) {
540 		if (((pglob->gl_flags & GLOB_NOCHECK) ||
541 		    ((pglob->gl_flags & GLOB_NOMAGIC) &&
542 			!(pglob->gl_flags & GLOB_MAGCHAR))))
543 			return (globextend(pattern, pglob, limit));
544 		else
545 			return (GLOB_NOMATCH);
546 	}
547 	if (!(pglob->gl_flags & GLOB_NOSORT))
548 		qsort(pglob->gl_pathv + pglob->gl_offs + oldpathc,
549 		    pglob->gl_pathc - oldpathc, sizeof(char *), compare);
550 	return (0);
551 }
552 
553 static int
554 compare(const void *p, const void *q)
555 {
556 	return (strcmp(*(char **)p, *(char **)q));
557 }
558 
559 static int
560 glob1(Char *pattern, glob_t *pglob, struct glob_limit *limit)
561 {
562 	Char pathbuf[MAXPATHLEN];
563 
564 	/* A null pathname is invalid -- POSIX 1003.1 sect. 2.4. */
565 	if (*pattern == EOS)
566 		return (0);
567 	return (glob2(pathbuf, pathbuf, pathbuf + MAXPATHLEN - 1,
568 	    pattern, pglob, limit));
569 }
570 
571 /*
572  * The functions glob2 and glob3 are mutually recursive; there is one level
573  * of recursion for each segment in the pattern that contains one or more
574  * meta characters.
575  */
576 static int
577 glob2(Char *pathbuf, Char *pathend, Char *pathend_last, Char *pattern,
578       glob_t *pglob, struct glob_limit *limit)
579 {
580 	struct stat sb;
581 	Char *p, *q;
582 	int anymeta;
583 
584 	/*
585 	 * Loop over pattern segments until end of pattern or until
586 	 * segment with meta character found.
587 	 */
588 	for (anymeta = 0;;) {
589 		if (*pattern == EOS) {		/* End of pattern? */
590 			*pathend = EOS;
591 			if (g_lstat(pathbuf, &sb, pglob))
592 				return (0);
593 
594 			if ((pglob->gl_flags & GLOB_LIMIT) &&
595 			    limit->l_stat_cnt++ >= GLOB_LIMIT_STAT) {
596 				errno = 0;
597 				if (pathend + 1 > pathend_last)
598 					return (GLOB_ABORTED);
599 				*pathend++ = SEP;
600 				*pathend = EOS;
601 				return (GLOB_NOSPACE);
602 			}
603 			if (((pglob->gl_flags & GLOB_MARK) &&
604 			    pathend[-1] != SEP) && (S_ISDIR(sb.st_mode)
605 			    || (S_ISLNK(sb.st_mode) &&
606 			    (g_stat(pathbuf, &sb, pglob) == 0) &&
607 			    S_ISDIR(sb.st_mode)))) {
608 				if (pathend + 1 > pathend_last)
609 					return (GLOB_ABORTED);
610 				*pathend++ = SEP;
611 				*pathend = EOS;
612 			}
613 			++pglob->gl_matchc;
614 			return (globextend(pathbuf, pglob, limit));
615 		}
616 
617 		/* Find end of next segment, copy tentatively to pathend. */
618 		q = pathend;
619 		p = pattern;
620 		while (*p != EOS && *p != SEP) {
621 			if (ismeta(*p))
622 				anymeta = 1;
623 			if (q + 1 > pathend_last)
624 				return (GLOB_ABORTED);
625 			*q++ = *p++;
626 		}
627 
628 		if (!anymeta) {		/* No expansion, do next segment. */
629 			pathend = q;
630 			pattern = p;
631 			while (*pattern == SEP) {
632 				if (pathend + 1 > pathend_last)
633 					return (GLOB_ABORTED);
634 				*pathend++ = *pattern++;
635 			}
636 		} else			/* Need expansion, recurse. */
637 			return (glob3(pathbuf, pathend, pathend_last, pattern,
638 			    p, pglob, limit));
639 	}
640 	/* NOTREACHED */
641 }
642 
643 static int
644 glob3(Char *pathbuf, Char *pathend, Char *pathend_last,
645       Char *pattern, Char *restpattern,
646       glob_t *pglob, struct glob_limit *limit)
647 {
648 	struct dirent *dp;
649 	DIR *dirp;
650 	int err;
651 	char buf[MAXPATHLEN];
652 
653 	struct dirent *(*readdirfunc)(DIR *);
654 
655 	if (pathend > pathend_last)
656 		return (GLOB_ABORTED);
657 	*pathend = EOS;
658 	errno = 0;
659 
660 	if ((dirp = g_opendir(pathbuf, pglob)) == NULL) {
661 		/* TODO: don't call for ENOENT or ENOTDIR? */
662 		if (pglob->gl_errfunc) {
663 			if (g_Ctoc(pathbuf, buf, sizeof(buf)))
664 				return (GLOB_ABORTED);
665 			if (pglob->gl_errfunc(buf, errno) ||
666 			    pglob->gl_flags & GLOB_ERR)
667 				return (GLOB_ABORTED);
668 		}
669 		return (0);
670 	}
671 
672 	err = 0;
673 
674 	/* pglob->gl_readdir takes a void *, fix this manually */
675 	if (pglob->gl_flags & GLOB_ALTDIRFUNC)
676 		readdirfunc = (struct dirent *(*)(DIR *))pglob->gl_readdir;
677 	else
678 		readdirfunc = readdir;
679 
680 	/* Search directory for matching names. */
681 	while ((dp = (*readdirfunc)(dirp)) != NULL) {
682 		char *sc;
683 		Char *dc;
684 		wchar_t wc;
685 		size_t clen;
686 		mbstate_t mbs;
687 
688 		if ((pglob->gl_flags & GLOB_LIMIT) &&
689 		    limit->l_readdir_cnt++ >= GLOB_LIMIT_READDIR) {
690 			errno = 0;
691 			if (pathend + 1 > pathend_last)
692 				err = GLOB_ABORTED;
693 			else {
694 				*pathend++ = SEP;
695 				*pathend = EOS;
696 				err = GLOB_NOSPACE;
697 			}
698 			break;
699 		}
700 
701 		/* Initial DOT must be matched literally. */
702 		if (dp->d_name[0] == DOT && *pattern != DOT)
703 			continue;
704 		memset(&mbs, 0, sizeof(mbs));
705 		dc = pathend;
706 		sc = dp->d_name;
707 		while (dc < pathend_last) {
708 			clen = mbrtowc(&wc, sc, MB_LEN_MAX, &mbs);
709 			if (clen == (size_t)-1 || clen == (size_t)-2) {
710 				wc = *sc;
711 				clen = 1;
712 				memset(&mbs, 0, sizeof(mbs));
713 			}
714 			if ((*dc++ = wc) == EOS)
715 				break;
716 			sc += clen;
717 		}
718 		if (!match(pathend, pattern, restpattern)) {
719 			*pathend = EOS;
720 			continue;
721 		}
722 		err = glob2(pathbuf, --dc, pathend_last, restpattern,
723 		    pglob, limit);
724 		if (err)
725 			break;
726 	}
727 
728 	if (pglob->gl_flags & GLOB_ALTDIRFUNC)
729 		(*pglob->gl_closedir)(dirp);
730 	else
731 		closedir(dirp);
732 	return (err);
733 }
734 
735 
736 /*
737  * Extend the gl_pathv member of a glob_t structure to accommodate a new item,
738  * add the new item, and update gl_pathc.
739  *
740  * This assumes the BSD realloc, which only copies the block when its size
741  * crosses a power-of-two boundary; for v7 realloc, this would cause quadratic
742  * behavior.
743  *
744  * Return 0 if new item added, error code if memory couldn't be allocated.
745  *
746  * Invariant of the glob_t structure:
747  *	Either gl_pathc is zero and gl_pathv is NULL; or gl_pathc > 0 and
748  *	gl_pathv points to (gl_offs + gl_pathc + 1) items.
749  */
750 static int
751 globextend(const Char *path, glob_t *pglob, struct glob_limit *limit)
752 {
753 	char **pathv;
754 	size_t i, newsize, len;
755 	char *copy;
756 	const Char *p;
757 
758 	if ((pglob->gl_flags & GLOB_LIMIT) &&
759 	    pglob->gl_matchc > limit->l_path_lim) {
760 		errno = 0;
761 		return (GLOB_NOSPACE);
762 	}
763 
764 	newsize = sizeof(*pathv) * (2 + pglob->gl_pathc + pglob->gl_offs);
765 	/* realloc(NULL, newsize) is equivalent to malloc(newsize). */
766 	pathv = realloc((void *)pglob->gl_pathv, newsize);
767 	if (pathv == NULL)
768 		return (GLOB_NOSPACE);
769 
770 	if (pglob->gl_pathv == NULL && pglob->gl_offs > 0) {
771 		/* first time around -- clear initial gl_offs items */
772 		pathv += pglob->gl_offs;
773 		for (i = pglob->gl_offs + 1; --i > 0; )
774 			*--pathv = NULL;
775 	}
776 	pglob->gl_pathv = pathv;
777 
778 	for (p = path; *p++;)
779 		continue;
780 	len = MB_CUR_MAX * (size_t)(p - path);	/* XXX overallocation */
781 	limit->l_string_cnt += len;
782 	if ((pglob->gl_flags & GLOB_LIMIT) &&
783 	    limit->l_string_cnt >= GLOB_LIMIT_STRING) {
784 		errno = 0;
785 		return (GLOB_NOSPACE);
786 	}
787 	if ((copy = malloc(len)) != NULL) {
788 		if (g_Ctoc(path, copy, len)) {
789 			free(copy);
790 			return (GLOB_NOSPACE);
791 		}
792 		pathv[pglob->gl_offs + pglob->gl_pathc++] = copy;
793 	}
794 	pathv[pglob->gl_offs + pglob->gl_pathc] = NULL;
795 	return (copy == NULL ? GLOB_NOSPACE : 0);
796 }
797 
798 /*
799  * pattern matching function for filenames.  Each occurrence of the *
800  * pattern causes a recursion level.
801  */
802 static int
803 match(Char *name, Char *pat, Char *patend)
804 {
805 	int ok, negate_range;
806 	Char c, k;
807 	struct xlocale_collate *table =
808 		(struct xlocale_collate*)__get_locale()->components[XLC_COLLATE];
809 
810 	while (pat < patend) {
811 		c = *pat++;
812 		switch (c & M_MASK) {
813 		case M_ALL:
814 			if (pat == patend)
815 				return (1);
816 			do
817 			    if (match(name, pat, patend))
818 				    return (1);
819 			while (*name++ != EOS);
820 			return (0);
821 		case M_ONE:
822 			if (*name++ == EOS)
823 				return (0);
824 			break;
825 		case M_SET:
826 			ok = 0;
827 			if ((k = *name++) == EOS)
828 				return (0);
829 			if ((negate_range = ((*pat & M_MASK) == M_NOT)) != EOS)
830 				++pat;
831 			while (((c = *pat++) & M_MASK) != M_END)
832 				if ((*pat & M_MASK) == M_RNG) {
833 					if (table->__collate_load_error ?
834 					    CHAR(c) <= CHAR(k) && CHAR(k) <= CHAR(pat[1]) :
835 					       __collate_range_cmp(table, CHAR(c), CHAR(k)) <= 0
836 					    && __collate_range_cmp(table, CHAR(k), CHAR(pat[1])) <= 0
837 					   )
838 						ok = 1;
839 					pat += 2;
840 				} else if (c == k)
841 					ok = 1;
842 			if (ok == negate_range)
843 				return (0);
844 			break;
845 		default:
846 			if (*name++ != c)
847 				return (0);
848 			break;
849 		}
850 	}
851 	return (*name == EOS);
852 }
853 
854 /* Free allocated data belonging to a glob_t structure. */
855 void
856 globfree(glob_t *pglob)
857 {
858 	size_t i;
859 	char **pp;
860 
861 	if (pglob->gl_pathv != NULL) {
862 		pp = pglob->gl_pathv + pglob->gl_offs;
863 		for (i = pglob->gl_pathc; i--; ++pp)
864 			if (*pp)
865 				free(*pp);
866 		free(pglob->gl_pathv);
867 		pglob->gl_pathv = NULL;
868 	}
869 }
870 
871 static DIR *
872 g_opendir(Char *str, glob_t *pglob)
873 {
874 	char buf[MAXPATHLEN];
875 
876 	if (!*str)
877 		strcpy(buf, ".");
878 	else {
879 		if (g_Ctoc(str, buf, sizeof(buf)))
880 			return (NULL);
881 	}
882 
883 	if (pglob->gl_flags & GLOB_ALTDIRFUNC)
884 		return ((*pglob->gl_opendir)(buf));
885 
886 	return (opendir(buf));
887 }
888 
889 static int
890 g_lstat(Char *fn, struct stat *sb, glob_t *pglob)
891 {
892 	char buf[MAXPATHLEN];
893 
894 	if (g_Ctoc(fn, buf, sizeof(buf))) {
895 		errno = ENAMETOOLONG;
896 		return (-1);
897 	}
898 	if (pglob->gl_flags & GLOB_ALTDIRFUNC)
899 		return((*pglob->gl_lstat)(buf, sb));
900 	return (lstat(buf, sb));
901 }
902 
903 static int
904 g_stat(Char *fn, struct stat *sb, glob_t *pglob)
905 {
906 	char buf[MAXPATHLEN];
907 
908 	if (g_Ctoc(fn, buf, sizeof(buf))) {
909 		errno = ENAMETOOLONG;
910 		return (-1);
911 	}
912 	if (pglob->gl_flags & GLOB_ALTDIRFUNC)
913 		return ((*pglob->gl_stat)(buf, sb));
914 	return (stat(buf, sb));
915 }
916 
917 static const Char *
918 g_strchr(const Char *str, wchar_t ch)
919 {
920 
921 	do {
922 		if (*str == ch)
923 			return (str);
924 	} while (*str++);
925 	return (NULL);
926 }
927 
928 static int
929 g_Ctoc(const Char *str, char *buf, size_t len)
930 {
931 	mbstate_t mbs;
932 	size_t clen;
933 
934 	memset(&mbs, 0, sizeof(mbs));
935 	while (len >= MB_CUR_MAX) {
936 		clen = wcrtomb(buf, *str, &mbs);
937 		if (clen == (size_t)-1)
938 			return (1);
939 		if (*str == L'\0')
940 			return (0);
941 		str++;
942 		buf += clen;
943 		len -= clen;
944 	}
945 	return (1);
946 }
947 
948 #ifdef DEBUG
949 static void
950 qprintf(const char *str, Char *s)
951 {
952 	Char *p;
953 
954 	(void)printf("%s:\n", str);
955 	for (p = s; *p; p++)
956 		(void)printf("%c", CHAR(*p));
957 	(void)printf("\n");
958 	for (p = s; *p; p++)
959 		(void)printf("%c", *p & M_PROTECT ? '"' : ' ');
960 	(void)printf("\n");
961 	for (p = s; *p; p++)
962 		(void)printf("%c", ismeta(*p) ? '_' : ' ');
963 	(void)printf("\n");
964 }
965 #endif
966