From 91c80c06affa3f4bfe106d2291efc360ab2b421d Mon Sep 17 00:00:00 2001 From: Mark Reynolds Date: Thu, 26 Oct 2017 10:03:39 -0400 Subject: [PATCH] Ticket 48894 - harden valueset_array_to_sorted_quick valueset access Description: It's possible during the sorting of a valueset to access an array element past the allocated size, and also go below the index 0. https://pagure.io/389-ds-base/issue/48894 Reviewed by: nweiderm (Thanks!) (cherry picked from commit 2086d052e338ddcbcf6bd3222617991641573a12) --- ldap/servers/slapd/valueset.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ldap/servers/slapd/valueset.c b/ldap/servers/slapd/valueset.c index 8a824ac4a..e22bc9c39 100644 --- a/ldap/servers/slapd/valueset.c +++ b/ldap/servers/slapd/valueset.c @@ -1054,11 +1054,11 @@ valueset_array_to_sorted_quick (const Slapi_Attr *a, Slapi_ValueSet *vs, size_t while (1) { do { i++; - } while ( valueset_value_cmp(a, vs->va[vs->sorted[i]], vs->va[pivot]) < 0); + } while (i < vs->max && valueset_value_cmp(a, vs->va[vs->sorted[i]], vs->va[pivot]) < 0); do { j--; - } while ( valueset_value_cmp(a, vs->va[vs->sorted[j]], vs->va[pivot]) > 0); + } while (valueset_value_cmp(a, vs->va[vs->sorted[j]], vs->va[pivot]) > 0 && j > 0); if (i >= j) { break; -- 2.13.6