|
|
61f723 |
From 91c80c06affa3f4bfe106d2291efc360ab2b421d Mon Sep 17 00:00:00 2001
|
|
|
b69e47 |
From: Mark Reynolds <mreynolds@redhat.com>
|
|
|
b69e47 |
Date: Thu, 26 Oct 2017 10:03:39 -0400
|
|
|
b69e47 |
Subject: [PATCH] Ticket 48894 - harden valueset_array_to_sorted_quick valueset
|
|
|
b69e47 |
access
|
|
|
b69e47 |
|
|
|
b69e47 |
Description: It's possible during the sorting of a valueset to access an
|
|
|
b69e47 |
array element past the allocated size, and also go below the index 0.
|
|
|
b69e47 |
|
|
|
b69e47 |
https://pagure.io/389-ds-base/issue/48894
|
|
|
b69e47 |
|
|
|
b69e47 |
Reviewed by: nweiderm (Thanks!)
|
|
|
b69e47 |
|
|
|
b69e47 |
(cherry picked from commit 2086d052e338ddcbcf6bd3222617991641573a12)
|
|
|
b69e47 |
---
|
|
|
b69e47 |
ldap/servers/slapd/valueset.c | 4 ++--
|
|
|
b69e47 |
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
b69e47 |
|
|
|
b69e47 |
diff --git a/ldap/servers/slapd/valueset.c b/ldap/servers/slapd/valueset.c
|
|
|
61f723 |
index 8a824ac4a..e22bc9c39 100644
|
|
|
b69e47 |
--- a/ldap/servers/slapd/valueset.c
|
|
|
b69e47 |
+++ b/ldap/servers/slapd/valueset.c
|
|
|
61f723 |
@@ -1054,11 +1054,11 @@ valueset_array_to_sorted_quick (const Slapi_Attr *a, Slapi_ValueSet *vs, size_t
|
|
|
b69e47 |
while (1) {
|
|
|
b69e47 |
do {
|
|
|
b69e47 |
i++;
|
|
|
61f723 |
- } while ( valueset_value_cmp(a, vs->va[vs->sorted[i]], vs->va[pivot]) < 0);
|
|
|
b69e47 |
+ } while (i < vs->max && valueset_value_cmp(a, vs->va[vs->sorted[i]], vs->va[pivot]) < 0);
|
|
|
b69e47 |
|
|
|
b69e47 |
do {
|
|
|
b69e47 |
j--;
|
|
|
61f723 |
- } while ( valueset_value_cmp(a, vs->va[vs->sorted[j]], vs->va[pivot]) > 0);
|
|
|
b69e47 |
+ } while (valueset_value_cmp(a, vs->va[vs->sorted[j]], vs->va[pivot]) > 0 && j > 0);
|
|
|
b69e47 |
|
|
|
b69e47 |
if (i >= j) {
|
|
|
b69e47 |
break;
|
|
|
b69e47 |
--
|
|
|
b69e47 |
2.13.6
|
|
|
b69e47 |
|