ITS#8752 (maybe related)

Avoid incremental access to user-supplied bv in dupbv

diff --git a/libraries/liblber/memory.c b/libraries/liblber/memory.c
index a99f5044c46d43195ffbd719164d5a5e795d0669..aa1d1e1231e601195bf5176c9f59379f0e719846 100644 (file)
--- a/libraries/liblber/memory.c
+++ b/libraries/liblber/memory.c
@@ -482,7 +482,7 @@ struct berval *
 ber_dupbv_x(
        struct berval *dst, struct berval *src, void *ctx )
 {
-       struct berval *new;
+       struct berval *new, tmp;
 
        if( src == NULL ) {
                ber_errno = LBER_ERROR_PARAM;
@@ -490,7 +490,7 @@ ber_dupbv_x(
        }
 
        if ( dst ) {
-               new = dst;
+               new = &tmp;
        } else {
                if(( new = ber_memalloc_x( sizeof(struct berval), ctx )) == NULL ) {
                        return NULL;
@@ -500,18 +500,23 @@ ber_dupbv_x(
        if ( src->bv_val == NULL ) {
                new->bv_val = NULL;
                new->bv_len = 0;
-               return new;
-       }
+       } else {
 
-       if(( new->bv_val = ber_memalloc_x( src->bv_len + 1, ctx )) == NULL ) {
-               if ( !dst )
-                       ber_memfree_x( new, ctx );
-               return NULL;
+               if(( new->bv_val = ber_memalloc_x( src->bv_len + 1, ctx )) == NULL ) {
+                       if ( !dst )
+                               ber_memfree_x( new, ctx );
+                       return NULL;
+               }
+
+               AC_MEMCPY( new->bv_val, src->bv_val, src->bv_len );
+               new->bv_val[src->bv_len] = '\0';
+               new->bv_len = src->bv_len;
        }
 
-       AC_MEMCPY( new->bv_val, src->bv_val, src->bv_len );
-       new->bv_val[src->bv_len] = '\0';
-       new->bv_len = src->bv_len;
+       if ( dst ) {
+               *dst = *new;
+               new = dst;
+       }
 
        return new;
 }