diff options
| author | Douglas Bagnall <douglas.bagnall@catalyst.net.nz> | 2021-03-06 16:05:15 +1300 |
|---|---|---|
| committer | Stefan Metzmacher <metze@samba.org> | 2021-11-02 20:36:16 +0000 |
| commit | 3e2a1671d69853cc1b5b52d8f2e26e9da16ead67 (patch) | |
| tree | 76c2d8039a6932890824b5aa5391674e20c24535 | |
| parent | 1870e5b46c159b3371bd00b2b85fe2c1c84c1b4f (diff) | |
| download | samba-3e2a1671d69853cc1b5b52d8f2e26e9da16ead67.tar.gz | |
ldb: fix ldb_comparison_fold off-by-one overrun
We run one character over in comparing all the bytes in two ldb_vals.
In almost all circumstances both ldb_vals would have an allocated '\0'
in the overrun position, but it is best not to rely on that.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 2b2f4f519454beb6f2a46705675a62274019fc09)
| -rw-r--r-- | lib/ldb/common/attrib_handlers.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/lib/ldb/common/attrib_handlers.c b/lib/ldb/common/attrib_handlers.c index f0fd4f50d8d..6a885065f77 100644 --- a/lib/ldb/common/attrib_handlers.c +++ b/lib/ldb/common/attrib_handlers.c @@ -334,8 +334,8 @@ int ldb_comparison_fold(struct ldb_context *ldb, void *mem_ctx, if (toupper((unsigned char)*s1) != toupper((unsigned char)*s2)) break; if (*s1 == ' ') { - while (n1 && s1[0] == s1[1]) { s1++; n1--; } - while (n2 && s2[0] == s2[1]) { s2++; n2--; } + while (n1 > 1 && s1[0] == s1[1]) { s1++; n1--; } + while (n2 > 1 && s2[0] == s2[1]) { s2++; n2--; } } s1++; s2++; n1--; n2--; |