From 0e893fd788d28616959f01f63bf2e43e889bf325 Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Mon, 2 Feb 2026 16:49:07 +0000
Subject: [PATCH] ITS#10438 liblber: check for realloc failure in
 ber_bvreplace_x()

---
 libraries/liblber/memory.c | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/libraries/liblber/memory.c b/libraries/liblber/memory.c
index 826e011bba..115fbf1de6 100644
--- a/libraries/liblber/memory.c
+++ b/libraries/liblber/memory.c
@@ -705,11 +705,22 @@ ber_bvreplace_x( struct berval *dst, LDAP_CONST struct berval *src, void *ctx )
 	assert( !BER_BVISNULL( src ) );
 
 	if ( BER_BVISNULL( dst ) || dst->bv_len < src->bv_len ) {
-		dst->bv_val = ber_memrealloc_x( dst->bv_val, src->bv_len + 1, ctx );
+		char *ptr = ber_memrealloc_x( dst->bv_val, src->bv_len + 1, ctx );
+		if ( ptr != NULL ) {
+			dst->bv_val = ptr;
+			dst->bv_len = src->bv_len;
+		}
+		/* if realloc failed, dst is left unchanged
+		 * and the value copied into it will be truncated.
+		 * callers never check this function's return value.
+		 */
+	} else {
+		dst->bv_len = src->bv_len;
 	}
 
-	AC_MEMCPY( dst->bv_val, src->bv_val, src->bv_len + 1 );
-	dst->bv_len = src->bv_len;
+	if ( dst->bv_val != NULL ) {
+		AC_MEMCPY( dst->bv_val, src->bv_val, dst->bv_len + 1 );
+	}
 
 	return dst;
 }
-- 
2.47.3