Blame SOURCES/0022-Ticket-48894-harden-valueset_array_to_sorted_quick-v.patch

058656
From dba89dd23d2d62686de192e0986eba65270a62c7 Mon Sep 17 00:00:00 2001
b69e47
From: Mark Reynolds <mreynolds@redhat.com>
b69e47
Date: Thu, 26 Oct 2017 10:03:39 -0400
b69e47
Subject: [PATCH] Ticket 48894 - harden valueset_array_to_sorted_quick valueset
b69e47
  access
b69e47
b69e47
Description:  It's possible during the sorting of a valueset to access an
b69e47
              array element past the allocated size, and also go below the index 0.
b69e47
b69e47
https://pagure.io/389-ds-base/issue/48894
b69e47
b69e47
Reviewed by: nweiderm (Thanks!)
b69e47
b69e47
(cherry picked from commit 2086d052e338ddcbcf6bd3222617991641573a12)
b69e47
---
b69e47
 ldap/servers/slapd/valueset.c | 4 ++--
b69e47
 1 file changed, 2 insertions(+), 2 deletions(-)
b69e47
b69e47
diff --git a/ldap/servers/slapd/valueset.c b/ldap/servers/slapd/valueset.c
058656
index dc0360738..14ebc48e6 100644
b69e47
--- a/ldap/servers/slapd/valueset.c
b69e47
+++ b/ldap/servers/slapd/valueset.c
058656
@@ -1019,11 +1019,11 @@ valueset_array_to_sorted_quick(const Slapi_Attr *a, Slapi_ValueSet *vs, size_t l
b69e47
     while (1) {
b69e47
         do {
b69e47
             i++;
058656
-        } while (valueset_value_cmp(a, vs->va[vs->sorted[i]], vs->va[pivot]) < 0);
b69e47
+        } while (i < vs->max && valueset_value_cmp(a, vs->va[vs->sorted[i]], vs->va[pivot]) < 0);
b69e47
 
b69e47
         do {
b69e47
             j--;
058656
-        } while (valueset_value_cmp(a, vs->va[vs->sorted[j]], vs->va[pivot]) > 0);
b69e47
+        } while (valueset_value_cmp(a, vs->va[vs->sorted[j]], vs->va[pivot]) > 0 && j > 0);
b69e47
 
b69e47
         if (i >= j) {
b69e47
             break;
b69e47
-- 
b69e47
2.13.6
b69e47