From: Howard Chu <hyc@openldap.org>
Date: Thu, 24 Nov 2022 21:32:51 +0000 (+0000)
Subject: ITS#9955 liblunicode: fix buffer size in UTF8bvnormalize
X-Git-Tag: OPENLDAP_REL_ENG_2_6_4~36
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=261a4185eb1420a8f6ab56f9497c11e5e1daee68;p=thirdparty%2Fopenldap.git

ITS#9955 liblunicode: fix buffer size in UTF8bvnormalize

output buffer may overrun 1 byte for specially crafted approxMatch search filters.
Not exploitable, no operational or security impact.
---

diff --git a/libraries/liblunicode/ucstr.c b/libraries/liblunicode/ucstr.c
index e95db43e7d..88b41fcd38 100644
--- a/libraries/liblunicode/ucstr.c
+++ b/libraries/liblunicode/ucstr.c
@@ -240,6 +240,17 @@ fail:
 		if ( approx ) {
 			for ( j = 0; j < ucsoutlen; j++ ) {
 				if ( ucsout[j] < 0x80 ) {
+					if ( outpos >= outsize ) {
+						outsize += ( ucsoutlen - j ) + 1;
+						outtmp = (char *) ber_memrealloc_x( out, outsize, ctx );
+						if ( outtmp == NULL ) {
+							ber_memfree_x( ucsout, ctx );
+							ber_memfree_x( ucs, ctx );
+							ber_memfree_x( out, ctx );
+							goto fail;
+						}
+						out = outtmp;
+					}
 					out[outpos++] = ucsout[j];
 				}
 			}