From 6ef23456c39ba57bbdd4d24f84f6556c5e94de95 Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Tue, 21 Feb 2023 09:42:28 +1300
Subject: [PATCH] ldb: Avoid undefined pointer arithmetic

Computing a pointer that points outside of an array, and not to one past
the last element, is undefined behaviour. To avoid this, do our
comparisons in terms of lengths, not pointers.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
 lib/ldb/common/ldb_pack.c | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/lib/ldb/common/ldb_pack.c b/lib/ldb/common/ldb_pack.c
index 490e7726d4d..b06a6e2b84b 100644
--- a/lib/ldb/common/ldb_pack.c
+++ b/lib/ldb/common/ldb_pack.c
@@ -786,7 +786,7 @@ static int ldb_unpack_data_flags_v2(struct ldb_context *ldb,
 	p += U32_LEN;
 
 	/* First fields are fixed: num_elements, DN length */
-	if (p + U32_LEN * 2 > end_p) {
+	if (U32_LEN * 2 > end_p - p) {
 		errno = EIO;
 		goto failed;
 	}
@@ -797,7 +797,7 @@ static int ldb_unpack_data_flags_v2(struct ldb_context *ldb,
 	len = PULL_LE_U32(p, 0);
 	p += U32_LEN;
 
-	if (p + len + NULL_PAD_BYTE_LEN > end_p) {
+	if (len + NULL_PAD_BYTE_LEN > end_p - p) {
 		errno = EIO;
 		goto failed;
 	}
@@ -826,7 +826,7 @@ static int ldb_unpack_data_flags_v2(struct ldb_context *ldb,
 	len = PULL_LE_U32(p, 0) + NULL_PAD_BYTE_LEN;
 	p += U32_LEN;
 
-	if (p + len > end_p) {
+	if (len > end_p - p) {
 		errno = EIO;
 		goto failed;
 	}
@@ -892,10 +892,10 @@ static int ldb_unpack_data_flags_v2(struct ldb_context *ldb,
 		struct ldb_message_element *element = NULL;
 
 		/* Sanity check: minimum element size */
-		if (p + (U32_LEN * 2) + /* attr name len, num values */
+		if ((U32_LEN * 2) + /* attr name len, num values */
 			(U8_LEN * 2) + /* value length width, one val length */
 			(NULL_PAD_BYTE_LEN * 2) /* null for attr name + val */
-			> value_section_p) {
+			> value_section_p - p) {
 			errno = EIO;
 			goto failed;
 		}
@@ -916,7 +916,7 @@ static int ldb_unpack_data_flags_v2(struct ldb_context *ldb,
 		 * val_len_width is the width specifier
 		 * for the variable length encoding
 		 */
-		if (p + U32_LEN + U8_LEN > value_section_p) {
+		if (U32_LEN + U8_LEN > value_section_p - p) {
 			errno = EIO;
 			goto failed;
 		}
@@ -956,8 +956,8 @@ static int ldb_unpack_data_flags_v2(struct ldb_context *ldb,
 		val_len_width = *p;
 		p += U8_LEN;
 
-		if (p + val_len_width * element->num_values >
-		    value_section_p) {
+		if (val_len_width * element->num_values >
+		    value_section_p - p) {
 			errno = EIO;
 			goto failed;
 		}
@@ -994,7 +994,7 @@ static int ldb_unpack_data_flags_v2(struct ldb_context *ldb,
 				errno = EIO;
 				goto failed;
 			}
-			if (q + len + NULL_PAD_BYTE_LEN > end_p) {
+			if (len + NULL_PAD_BYTE_LEN > end_p - q) {
 				errno = EIO;
 				goto failed;
 			}
-- 
2.47.3