ldb: fix ldb_comparison_fold off-by-one overrun

We run one character over in comparing all the bytes in two ldb_vals.

In almost all circumstances both ldb_vals would have an allocated '\0'
in the overrun position, but it is best not to rely on that.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 2b2f4f519454beb6f2a46705675a62274019fc09)

diff --git a/lib/ldb/common/attrib_handlers.c b/lib/ldb/common/attrib_handlers.c
index f0fd4f50d8dfd09bbd132a3a887b46eb182cac4f..6a885065f773673483fc508400a9fd959a131902 100644 (file)
--- a/lib/ldb/common/attrib_handlers.c
+++ b/lib/ldb/common/attrib_handlers.c
@@ -334,8 +334,8 @@ int ldb_comparison_fold(struct ldb_context *ldb, void *mem_ctx,
                if (toupper((unsigned char)*s1) != toupper((unsigned char)*s2))
                        break;
                if (*s1 == ' ') {
-                       while (n1 && s1[0] == s1[1]) { s1++; n1--; }
-                       while (n2 && s2[0] == s2[1]) { s2++; n2--; }
+                       while (n1 > 1 && s1[0] == s1[1]) { s1++; n1--; }
+                       while (n2 > 1 && s2[0] == s2[1]) { s2++; n2--; }
                }
                s1++; s2++;
                n1--; n2--;