From 0baffda48f5bb9ab7a1ff427338d97fd8efaa3f4 Mon Sep 17 00:00:00 2001 From: leitner Date: Mon, 28 Jul 2008 13:24:27 +0000 Subject: [PATCH] =?UTF-8?q?int=20underflow=20in=20indexing=20code=20(thx?= =?UTF-8?q?=20Andreas=20St=C3=BChrk)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- THANKS | 2 ++ tinyldap.c | 23 ++++++++++++----------- 2 files changed, 14 insertions(+), 11 deletions(-) diff --git a/THANKS b/THANKS index ac50d08..bba4bdb 100644 --- a/THANKS +++ b/THANKS @@ -10,3 +10,5 @@ Dirk Meyer helped BSD portability. Zak Johnson fixed substring matches in ldap_match_mapped. +Andreas Stührk found a possible integer underflow in the indexing code. +I'd be astounded if someone found a way to exploit it, though. diff --git a/tinyldap.c b/tinyldap.c index 64a12cf..dc485a0 100644 --- a/tinyldap.c +++ b/tinyldap.c @@ -639,17 +639,18 @@ static void tagmatches(uint32* index,size_t elements,struct string* s, setbit(b,rec); /* there may be multiple matches. * Look before and after mid, too */ - for (k=mid-1; k>0; --k) { - m=uint32_read((char*)(&index[k])); - if ((ft==LESSEQUAL) || (l=match(s,map+m))==0) { - if (index_type==0) - rec=findrec(m); - else if (index_type==1) - rec=uint32_read((char*)(&index[k+elements])); - if (rec>=0) - setbit(b,rec); - } else break; - } + if (mid) /* thx Andreas Stührk */ + for (k=mid-1; k>0; --k) { + m=uint32_read((char*)(&index[k])); + if ((ft==LESSEQUAL) || (l=match(s,map+m))==0) { + if (index_type==0) + rec=findrec(m); + else if (index_type==1) + rec=uint32_read((char*)(&index[k+elements])); + if (rec>=0) + setbit(b,rec); + } else break; + } for (k=mid+1; k