Bug 324525: Memory error in ber_get_stringal/ber_bvfree Bug 324529: ber_scanf() needs to check for NULL return from malloc/realloc
https://bugzilla.mozilla.org/show_bug.cgi?id=324525 https://bugzilla.mozilla.org/show_bug.cgi?id=324529 The bugs are very closely related, and it's hard to disentagle the diffs, so two bugs for the price of one. File: ldap/libraries/liblber/decode.c Diffs: https://bugzilla.mozilla.org/attachment.cgi?id=209858 If ber_get_stringal encounters a bad BER tag after allocating the berval but before assigning to the bv_val, it will short circuit and return leaving the bv_val uninitialized. If the caller then calls ber_bvfree to free the berval*, it will attempt to free bv_val and therefore free uninitialized memory. There is a similar problem in ber_scanf in the 'v' case. Memory is allocated for the string array, but the string being read is not initialized first before calling ber_get_stringa, which may return in the case of a BER error, which will abort the vector reading, returning uninitialized memory to the caller to free. We cannot rely on calloc here since we may use realloc and AFAIK there is no recalloc. ber_scanf needs to check for a null return from malloc/realloc and abort processing of the vector 'v' or 'V'. _______________________________________________ dev-tech-ldap mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-ldap
