From 02e744fe208b912bbe51a0286457095211fbe2a2 Mon Sep 17 00:00:00 2001
From: Rich Megginson <rmeggins@redhat.com>
Date: Mon, 29 Jul 2013 12:36:02 -0600
Subject: [PATCH 192/225] Ticket #47448 - Segfault in
 389-ds-base-1.3.1.4-1.fc19 when setting up FreeIPA replication

https://fedorahosted.org/389/ticket/47448
Reviewed by: lkrispenz (Thanks!)
Branch: master
Fix Description: valueset_add_valueset() sets the values in the vs1
destination valueset.  It expects that vs1 is empty.  Particularly, the
sorted array.  If the source valueset vs2->sorted is NULL, it assumes
vs1->sorted is NULL already, and does not free it and set it to NULL.
The fix is to free both vs1->sorted and vs1->va.  NOTE: this fixes
the crash, but does not address the larger issue that the semantics of
valueset_add_valueset are not correct - valueset_add_valueset should add
the values from vs2 to vs1, rather than replace vs1 with vs2.
Also added post-condition assertions.
Platforms tested: RHEL6 x86_64
Flag Day: no
Doc impact: no
(cherry picked from commit df53a874436503ef99594fc09e3d817317f86940)

Backported from 389-ds-base-1.3.1 to 389-ds-base-1.2.11.
The patch was reviewed by rmeggins@redhat.com (Thank you, Rich!!)
NOTE: this patch is needed for Ticket #346 - Slow ldapmodify operation
time for large quantities of multi-valued attribute values
(cherry picked from commit d36f7ea51cb8cb37d4d937dcf47254bf12a41c6b)
---
 ldap/servers/slapd/valueset.c | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/ldap/servers/slapd/valueset.c b/ldap/servers/slapd/valueset.c
index 29078d4..e83e740 100644
--- a/ldap/servers/slapd/valueset.c
+++ b/ldap/servers/slapd/valueset.c
@@ -573,6 +573,7 @@ slapi_valueset_done(Slapi_ValueSet *vs)
 {
 	if(vs!=NULL)
 	{
+		PR_ASSERT((vs->sorted == NULL) || (vs->num == 0) || ((vs->sorted[0] >= 0) && (vs->sorted[0] < vs->num)));
 		if(vs->va!=NULL)
 		{
 			valuearray_free(&vs->va);
@@ -604,6 +605,7 @@ slapi_valueset_set_from_smod(Slapi_ValueSet *vs, Slapi_Mod *smod)
 	Slapi_Value **va= NULL;
 	valuearray_init_bervalarray(slapi_mod_get_ldapmod_byref(smod)->mod_bvalues, &va);
 	valueset_set_valuearray_passin(vs, va);
+	PR_ASSERT((vs->sorted == NULL) || (vs->num == 0) || ((vs->sorted[0] >= 0) && (vs->sorted[0] < vs->num)));
 }
 
 void
@@ -624,7 +626,7 @@ valueset_set_valuearray_byval(Slapi_ValueSet *vs, Slapi_Value **addvals)
 		}
 	}
 	vs->va[j] = NULL;
-
+	PR_ASSERT((vs->sorted == NULL) || (vs->num == 0) || ((vs->sorted[0] >= 0) && (vs->sorted[0] < vs->num)));
 }
 
 void
@@ -634,6 +636,7 @@ valueset_set_valuearray_passin(Slapi_ValueSet *vs, Slapi_Value **addvals)
 	vs->va= addvals;
 	vs->num = valuearray_count(addvals);
 	vs->max = vs->num + 1;
+	PR_ASSERT((vs->sorted == NULL) || (vs->num == 0) || ((vs->sorted[0] >= 0) && (vs->sorted[0] < vs->num)));
 }
 
 void
@@ -747,6 +750,7 @@ valueset_remove_value_sorted(const Slapi_Attr *a, Slapi_ValueSet *vs, const Slap
 		for (i=0; i < vs->num; i++) {
 			if (vs->sorted[i] > index) vs->sorted[i]--;
 		}
+		PR_ASSERT((vs->sorted == NULL) || (vs->num == 0) || ((vs->sorted[0] >= 0) && (vs->sorted[0] < vs->num)));
 	}
 	return r;
 }
@@ -763,6 +767,7 @@ valueset_remove_value(const Slapi_Attr *a, Slapi_ValueSet *vs, const Slapi_Value
 			if (r)
 				vs->num--;
 		}
+		PR_ASSERT((vs->sorted == NULL) || (vs->num == 0) || ((vs->sorted[0] >= 0) && (vs->sorted[0] < vs->num)));
 		return r;
 	}
 }
@@ -791,6 +796,7 @@ valueset_purge(Slapi_ValueSet *vs, const CSN *csn)
 			slapi_ch_free ((void **)&vs->sorted);
 			vs->sorted = NULL;
 		}
+		PR_ASSERT((vs->sorted == NULL) || (vs->num == 0) || ((vs->sorted[0] >= 0) && (vs->sorted[0] < vs->num)));
 	}
 	return 0;
 }
@@ -980,6 +986,7 @@ valueset_array_to_sorted (const Slapi_Attr *a, Slapi_ValueSet *vs)
 		}
 		vs->sorted[j+1] = swap;
 	}
+	PR_ASSERT((vs->sorted == NULL) || (vs->num == 0) || ((vs->sorted[0] >= 0) && (vs->sorted[0] < vs->num)));
 }
 /* insert a value into a sorted array, if dupcheck is set no duplicate values will be accepted 
  * (is there a reason to allow duplicates ? LK
@@ -995,10 +1002,12 @@ valueset_insert_value_to_sorted(const Slapi_Attr *a, Slapi_ValueSet *vs, Slapi_V
 	if (vs->num == 0) {
 		vs->sorted[0] = 0;
 		vs->num++;
+		PR_ASSERT((vs->sorted == NULL) || (vs->num == 0) || ((vs->sorted[0] >= 0) && (vs->sorted[0] < vs->num)));
 		return(0);
 	} else if (valueset_value_cmp (a, vi, vs->va[vs->sorted[vs->num-1]]) > 0 )  {
 		vs->sorted[vs->num] = vs->num;
 		vs->num++; 
+		PR_ASSERT((vs->sorted == NULL) || (vs->num == 0) || ((vs->sorted[0] >= 0) && (vs->sorted[0] < vs->num)));
 		return (vs->num);
 	}
 	v = valueset_find_sorted (a, vs, vi, &index);
@@ -1009,6 +1018,7 @@ valueset_insert_value_to_sorted(const Slapi_Attr *a, Slapi_ValueSet *vs, Slapi_V
 		memmove(&vs->sorted[index+1],&vs->sorted[index],(vs->num - index)* sizeof(int));
 		vs->sorted[index] = vs->num;
 		vs->num++; 
+		PR_ASSERT((vs->sorted == NULL) || (vs->num == 0) || ((vs->sorted[0] >= 0) && (vs->sorted[0] < vs->num)));
 		return(index);
 	}
 		
@@ -1111,6 +1121,7 @@ slapi_valueset_add_attr_valuearray_ext(const Slapi_Attr *a, Slapi_ValueSet *vs,
 	}
 	(vs->va)[vs->num] = NULL;
 
+	PR_ASSERT((vs->sorted == NULL) || (vs->num == 0) || ((vs->sorted[0] >= 0) && (vs->sorted[0] < vs->num)));
 	return (rc); 
 }
 
@@ -1148,6 +1159,8 @@ valueset_add_valueset(Slapi_ValueSet *vs1, const Slapi_ValueSet *vs2)
 	int i;
 
 	if (vs1 && vs2) {
+		valuearray_free(&vs1->va);
+		slapi_ch_free((void **)&vs1->sorted);
 		if (vs2->va) {
 			/* need to copy valuearray */
 			if (vs2->max == 0) {
@@ -1168,6 +1181,7 @@ valueset_add_valueset(Slapi_ValueSet *vs1, const Slapi_ValueSet *vs2)
 			vs1->sorted = (int *) slapi_ch_malloc( vs1->max* sizeof(int));
 			memcpy(&vs1->sorted[0],&vs2->sorted[0],vs1->num* sizeof(int));
 		}
+		PR_ASSERT((vs1->sorted == NULL) || (vs1->num == 0) || ((vs1->sorted[0] >= 0) && (vs1->sorted[0] < vs1->num)));
 	}
 }
 
@@ -1322,6 +1336,7 @@ valueset_replace_valuearray_ext(Slapi_Attr *a, Slapi_ValueSet *vs, Slapi_Value *
 	vs->va = valstoreplace;
 	vs->num = vals_count;
 	vs->max = vals_count + 1;
+	PR_ASSERT((vs->sorted == NULL) || (vs->num == 0) || ((vs->sorted[0] >= 0) && (vs->sorted[0] < vs->num)));
     } else {
 	/* verify the given values are not duplicated.  */
 	unsigned long flags = SLAPI_VALUE_FLAG_PASSIN|SLAPI_VALUE_FLAG_DUPCHECK;
@@ -1349,6 +1364,7 @@ valueset_replace_valuearray_ext(Slapi_Attr *a, Slapi_ValueSet *vs, Slapi_Value *
 		vs->num = vs_new->num;
 		vs->max = vs_new->max;
 		slapi_valueset_free (vs_new);
+		PR_ASSERT((vs->sorted == NULL) || (vs->num == 0) || ((vs->sorted[0] >= 0) && (vs->sorted[0] < vs->num)));
 	}
 	else
 	{
-- 
1.8.1.4