https://bugs.openldap.org/show_bug.cgi?id=10341
Issue ID: 10341
Summary: Two potential buffer overruns in function
mdb_cmp_cint.
Product: OpenLDAP
Version: unspecified
Hardware: All
OS: All
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: libraries
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: ---
Created attachment 1068
--> https://bugs.openldap.org/attachment.cgi?id=1068&action=edit
Patch: Fix buffer overrun in function mdb_cmp_cint
We found two potential bugs in `mdb_cmp_cint`’s backward‐scan loop:
```c
u = (unsigned short *)((char *)a->mv_data + a->mv_size);
c = (unsigned short *)((char *)b->mv_data + a->mv_size);
do {
x = *--u - *--c;
} while (!x && u > (unsigned short *)a->mv_data);
```
1. **Underflow when `a->mv_size == 0`**
If `a->mv_size` is zero, `u` is initialized to point one past the end of the
zero‐length buffer. The first `--u` then moves it before `a->mv_data`, and the
subsequent dereference is undefined. The original API allows lengths from 0 to
`0xFFFFFFFF`, so a zero length is possible can could lead to pointer underflow
here.
2. **Overflow of `b->mv_data` when `b->mv_size < a->mv_size`**
The code uses `a->mv_size` to advance both `u` and `c`, and only
bounds‐checks `u`. If `b->mv_size` is smaller than `a->mv_size`, `c` may run
past the end of its buffer before the loop terminates, causing a buffer
overrun.
--
You are receiving this mail because:
You are on the CC list for the issue.
