s3/lib: don't write to buffer (which might be NULL) if bufsize <=0

Some code depends that tdb_pack[va] will return the bytes it would
write to 'buf' if the bufsize passed in is <=0, writing to the
buffer is protected by with lines like
   if (bufsize && bufsize >= len) {
      /* write to 'buf' */
   }

however in these instances the local pointer to the buffer is still
modified
   buf += len;

It's quite probable if bufsize == 0 that buf itself is NULL,
in this case we should protect against performing pointer arithmetic.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andreas Schneider <asn@samba.org>

1 files changed, 7 insertions, 6 deletions

diff --git a/source3/lib/util_tdb.c b/source3/lib/util_tdb.c
index 0d1532193d4..943847f04a3 100644
--- a/source3/lib/util_tdb.c
+++ b/source3/lib/util_tdb.c
@@ -44,10 +44,9 @@ static size_t tdb_pack_va(uint8_t *buf, int bufsize, const char *fmt, va_list ap
 	int len = 0;
 	char *s;
 	char c;
-	uint8_t *buf0 = buf;
 	const char *fmt0 = fmt;
 	int bufsize0 = bufsize;
-
+	size_t to_write = 0;
 	while (*fmt) {
 		switch ((c = *fmt++)) {
 		case 'b': /* unsigned 8-bit integer */
@@ -104,17 +103,19 @@ static size_t tdb_pack_va(uint8_t *buf, int bufsize, const char *fmt, va_list ap
 			break;
 		}
 
-		buf += len;
-		if (bufsize)
+		to_write += len;
+		if (bufsize > 0) {
 			bufsize -= len;
+			buf += len;
+		}
 		if (bufsize < 0)
 			bufsize = 0;
 	}
 
 	DEBUG(18,("tdb_pack_va(%s, %d) -> %d\n", 
-		 fmt0, bufsize0, (int)PTR_DIFF(buf, buf0)));
+		 fmt0, bufsize0, (int)to_write));
 
-	return PTR_DIFF(buf, buf0);
+	return to_write;
 }
 
 size_t tdb_pack(uint8_t *buf, int bufsize, const char *fmt, ...)