From 404c8850da5a677638959f4e38bb7692cb887d3a Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Fri, 18 May 2018 16:48:13 +0200
Subject: [PATCH] curl_fnmatch: only allow two asterisks for matching

The previous limit of 5 can still end up in situation that takes a very
long time and consumes a lot of CPU.

If there is still a rare use case for this, a user can provide their own
fnmatch callback for a version that allows a larger set of wildcards.

This commit was triggered by yet another OSS-Fuzz timeout due to this.
Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8369

Closes #2587
---
 docs/libcurl/opts/CURLOPT_WILDCARDMATCH.3 | 4 ++--
 lib/curl_fnmatch.c                        | 2 +-
 tests/unit/unit1307.c                     | 4 ----
 3 files changed, 3 insertions(+), 7 deletions(-)

diff --git a/docs/libcurl/opts/CURLOPT_WILDCARDMATCH.3 b/docs/libcurl/opts/CURLOPT_WILDCARDMATCH.3
index 1ca1bedd4..da1fea9fb 100644
--- a/docs/libcurl/opts/CURLOPT_WILDCARDMATCH.3
+++ b/docs/libcurl/opts/CURLOPT_WILDCARDMATCH.3
@@ -5,7 +5,7 @@
 .\" *                            | (__| |_| |  _ <| |___
 .\" *                             \___|\___/|_| \_\_____|
 .\" *
-.\" * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
+.\" * Copyright (C) 1998 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al.
 .\" *
 .\" * This software is licensed as described in the file COPYING, which
 .\" * you should have received as part of this distribution. The terms
@@ -41,7 +41,7 @@ A brief introduction of its syntax follows:
 .RS
 .IP "* - ASTERISK"
 \&ftp://example.com/some/path/\fB*.txt\fP (for all txt's from the root
-directory)
+directory). Only two asterisks are allowed within the same pattern string.
 .RE
 .RS
 .IP "? - QUESTION MARK"
diff --git a/lib/curl_fnmatch.c b/lib/curl_fnmatch.c
index 0179a4f71..268fe79b3 100644
--- a/lib/curl_fnmatch.c
+++ b/lib/curl_fnmatch.c
@@ -355,5 +355,5 @@ int Curl_fnmatch(void *ptr, const char *pattern, const char *string)
   if(!pattern || !string) {
     return CURL_FNMATCH_FAIL;
   }
-  return loop((unsigned char *)pattern, (unsigned char *)string, 5);
+  return loop((unsigned char *)pattern, (unsigned char *)string, 2);
 }
diff --git a/tests/unit/unit1307.c b/tests/unit/unit1307.c
index 0d2257bf0..5f60332b8 100644
--- a/tests/unit/unit1307.c
+++ b/tests/unit/unit1307.c
@@ -185,11 +185,7 @@ static const struct testcase tests[] = {
   { "\\?.txt",                  "x.txt",                  NOMATCH },
   { "\\*.txt",                  "x.txt",                  NOMATCH },
   { "\\*\\\\.txt",              "*\\.txt",                MATCH },
-  { "*\\**\\?*\\\\*",           "cc*cc?cc\\cc*cc",        MATCH },
   { "*\\**\\?*\\\\*",           "cc*cc?cccc",             NOMATCH },
-  { "*\\**\\?*\\\\*",           "cc*cc?cc\\cc*cc",        MATCH },
-  { "*\\?*\\**",                "cc?c*c",                 MATCH },
-  { "*\\?*\\**curl*",           "cc?c*curl",              MATCH },
   { "*\\?*\\**",                "cc?cc",                  NOMATCH },
   { "\\\"\\$\\&\\'\\(\\)",      "\"$&'()",                MATCH },
   { "\\*\\?\\[\\\\\\`\\|",      "*?[\\`|",                MATCH },