fix two bugs in the indexing code found by Georg Lehner

silence if statement indentation warnings (gcc has become more picky)

Makefile

@@ -50,7 +50,7 @@ CC=$(CROSS)gcc
 CFLAGS=-pipe -I. -Wall -W -Wextra
 ifneq ($(DEBUG),)
 DIET=/opt/diet/bin/diet
-CFLAGS=-pipe -I. -Wall -W -g -fstack-protector
+CFLAGS=-pipe -I. -Wall -W -Wextra -g -fstack-protector
 endif
 ifeq ($(COVERAGE),1)
 DIET=
@@ -111,6 +111,7 @@ clean:
 	rm -f t t[1-9] *.[ao] bindrequest tinyldap ldapclient \
 parse tinyldap_standalone tinyldap_debug ldapclient_str addindex \
 dumpidx idx2ldif md5password ldapdelete dumpacls asn1dump acl \
+mysql2ldif x \
 *.da *.bbg *.bb *.gcov gmon.out *.gcda *.gcno test/bind bind/ebind
 
 tar: clean

THANKS

@@ -16,3 +16,5 @@ I'd be astounded if someone found a way to exploit it, though.
 Andreas also ran tinyldap in afl and found two double frees.
 At least one of them looks like it might be exploitable if you are not
 using dietlibc.
+
+Georg Lehner found problems in the indexing code.

fmt_ldapbindrequest.c

@@ -9,10 +9,12 @@ size_t fmt_ldapbindrequest(char* dest,long version,const char* name,const char*
   sum=l=fmt_asn1INTEGER(dest,version);
   if (dest) dest+=l;
   l=fmt_asn1OCTETSTRING(dest,name,nlen);
-  if (add_of(sum,sum,l)) return (size_t)-1; if (dest) dest+=l;
+  if (add_of(sum,sum,l)) return (size_t)-1;
+  if (dest) dest+=l;
 //  sum+=l; if (dest) dest+=l;
   nlen=str_len(simple);
   l=fmt_asn1string(dest,PRIVATE,PRIMITIVE,0,simple,nlen);
-  if (add_of(sum,sum,l)) return (size_t)-1; if (dest) dest+=l;
+  if (add_of(sum,sum,l)) return (size_t)-1;
+  if (dest) dest+=l;
   return sum;
 }

fmt_ldapsearchfilter.c

@@ -20,7 +20,8 @@ size_t fmt_ldapsubstring(char* dest,const struct Substring* s) {
   size_t sum=0,tmp=0;
   while (s) {
     tmp=fmt_asn1string(dest,PRIVATE,PRIMITIVE,s->substrtype,s->s.s,s->s.l);
-    if (dest) dest+=tmp; sum+=tmp;
+    if (dest) dest+=tmp;
+    sum+=tmp;
     s=s->next;
   }
   return sum;

mysql2ldif.c

@@ -26,7 +26,7 @@ int main() {
   static array fn;	/* field names */
   static char* table;
   int mode=0;
-  int pkey;
+  int pkey=-1;
 
   while (buffer_getnewline_sa(buffer_0,&sa)==1) {
     ++line;
@@ -132,7 +132,7 @@ int main() {
 	    parseerror("expected NULL, 'string' or 1234");
 	  ++n;
 	}
-	if (!c[pkey]) {
+	if (pkey==-1 || !c[pkey]) {
 	  parseerror("primary key empty");
 	}
 	buffer_putm(buffer_1,"dn: ",c[pkey],"\nobjectClass: mysql2ldif\n");

parse.c

@@ -110,20 +110,23 @@ int ldif_callback(struct ldaprec* l) {
   uint32_pack(x+4,0);
 
 //  ofs=recofs;
-  if (buffer_put(&rbuf,x,8)) return -1; recofs+=8;
+  if (buffer_put(&rbuf,x,8)) return -1;
+  recofs+=8;
 //  if ((ofs=mstorage_add(&records,x,8))==(uint32)-1) return -1;
 
   uint32_pack(x,l->dn);
   uint32_pack(x+4,oc);
 
-  if (buffer_put(&rbuf,x,8)) return -1; recofs+=8;
+  if (buffer_put(&rbuf,x,8)) return -1;
+  recofs+=8;
 //  if (mstorage_add(&records,x,8)==-1) return -1;
 
   for (i=0; i<l->n; ++i) {
     if (l->a[i].name==objectClass && l->a[i].value==(uint32)-1) continue;
     uint32_pack(x,l->a[i].name);
     uint32_pack(x+4,l->a[i].value);
-    if (buffer_put(&rbuf,x,8)) return -1; recofs+=8;
+    if (buffer_put(&rbuf,x,8)) return -1;
+    recofs+=8;
 //    if (mstorage_add(&records,x,8)==-1) return -1;
   }
 //  uint32_pack(x,ofs);

scan_asn1rawoid.c

@@ -18,8 +18,8 @@ size_t scan_asn1rawoid(const char* src,const char* max,size_t* array,size_t* arr
       b+=(a-2)*40;
       a=2;
     }
-    if (array && cur<al) array[cur]=a; ++cur;
-    if (array && cur<al) array[cur]=b; ++cur;
+    if (array && cur+1<al) { array[cur]=a; array[cur+1]=b; }
+    cur+=2;
   }
 
   for (++src; src<max; ) {
@@ -28,7 +28,8 @@ size_t scan_asn1rawoid(const char* src,const char* max,size_t* array,size_t* arr
     if (!(i=scan_asn1tagint(src,max,&tmp)))
       return 0;
     src+=i;
-    if (array && cur<al) array[cur]=tmp; ++cur;
+    if (array && cur<al) array[cur]=tmp;
+    ++cur;
   }
 
   /* if we got this far, then we have an OID, but it might not have fit */

scan_ldapmodifyrequest.c

@@ -40,7 +40,8 @@ size_t scan_ldapmodifyrequest(const char* src,const char* max,struct ModifyReque
     if (!(tmp=scan_asn1SEQUENCE(src+res,max,&islen))) goto error;
     res+=tmp;
     if (!(tmp=scan_asn1ENUMERATED(src+res,max,&etmp))) goto error;
-    if (etmp>2) goto error; last->operation=etmp; res+=tmp;
+    if (etmp>2) goto error;
+    last->operation=etmp; res+=tmp;
     {
       size_t iislen;	/* urgh, _three_ levels of indirection */
       const char* imax;

scan_ldapsearchrequest.c

@@ -11,9 +11,11 @@ size_t scan_ldapsearchrequest(const char* src,const char* max,
   s->filter=0;
   if (!(res=scan_ldapstring(src,max,&s->baseObject))) goto error;
   if (!(tmp=scan_asn1ENUMERATED(src+res,max,&etmp))) goto error;
-  if (etmp>2) goto error; s->scope=etmp; res+=tmp;
+  if (etmp>2) goto error;
+  s->scope=etmp; res+=tmp;
   if (!(tmp=scan_asn1ENUMERATED(src+res,max,&etmp))) goto error;
-  if (etmp>3) goto error; s->derefAliases=etmp; res+=tmp;
+  if (etmp>3) goto error;
+  s->derefAliases=etmp; res+=tmp;
   if (!(tmp=scan_asn1INTEGER(src+res,max,&ltmp)) || ltmp<0) goto error;
   s->sizeLimit=(unsigned long)ltmp;
   res+=tmp;

t2.c

@@ -46,7 +46,8 @@ mergesub:
       int first=1;
       printf("%.*s has ",(int)f->ava.desc.l,f->ava.desc.s);
       while (s) {
-	if (!first) printf(" and "); first=0;
+	if (!first) printf(" and ");
+	first=0;
 	switch(s->substrtype) {
 	case prefix: printf("prefix \""); break;
 	case any: printf("substr \""); break;

tinyldap.c

@@ -573,6 +573,16 @@ static inline void fillset(struct bitfield* b) {
   for (i=0; i<record_set_length; ++i) b->bits[i]=(unsigned long)-1;
 }
 
+static inline void invertset(struct bitfield* b) {
+  size_t i;
+  b->first=0;
+#ifdef RANGECHECK
+  b->n=
+#endif
+  b->last=record_count;
+  for (i=0; i<record_set_length; ++i) b->bits[i] = ~b->bits[i];
+}
+
 /* basic bit-set support: set one bit to 1 */
 static inline void setbit(struct bitfield* b,size_t bit) {
 #ifdef RANGECHECK
@@ -645,7 +655,7 @@ static void tagmatches(uint32* index,size_t elements,struct string* s,
       /* there may be multiple matches.
 	* Look before and after mid, too */
       if (mid)	/* thx Andreas Stührk */
-	for (k=mid-1; k>0; --k) {
+	for (k=mid-1; k!=(uint32_t)-1; --k) {
 	  m=uint32_read((char*)(&index[k]));
 	  if ((ft==LESSEQUAL) || (l=match(s,map+m))==0) {
 	    if (index_type==0)
@@ -819,11 +829,16 @@ static int useindex(struct Filter* f,struct bitfield* b) {
       }
       return ok;
     }
-#if 0
-  /* doesn't make much sense to try to speed up negated queries */
   case NOT:
-    return indexable(y);
-#endif
+    {
+      if (y) {
+	emptyset(b);
+	useindex(y,b);
+	invertset(b);
+      } else
+	emptyset(b);
+      return 1;
+    }
   case SUBSTRING:
     if (f->substrings->substrtype!=prefix) return 0;
     {

tls_doread.c

@@ -3,6 +3,7 @@
 #include <errno.h>
 #include <unistd.h>
 #include <stdlib.h>
+#include <string.h>
 
 tls_error_code tls_doread(uintptr_t fd,struct ssl_context* sc) {
   size_t l;

x.c

@@ -30,8 +30,6 @@ char pkt[]=
 "\x00\x01\x01\x15\x03\x03\x00\x02\x02\x30";
 
 int main() {
-  char buf[200];
-  size_t l;
   struct ssl_context sc;
   int fd;
 
@@ -43,6 +41,8 @@ int main() {
       diesys(1,"connect");
 
 #if 0
+  size_t l;
+  char buf[200];
   init_tls_context_norandom(&sc,NULL);
   printf("%zu\n",fmt_tls_serverhello(NULL,pkt,sizeof(pkt),&sc));
   init_tls_context_norandom(&sc,"blog.fefe.de");