ldb: fix ldb_comparison_fold off-by-one overrun

We run one character over in comparing all the bytes in two ldb_vals.

In almost all circumstances both ldb_vals would have an allocated '\0'
in the overrun position, but it is best not to rely on that.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/lib/ldb/common/attrib_handlers.c b/lib/ldb/common/attrib_handlers.c
index 81a74584bcbb2f1a99d387cd9b3253a3d92692df..9e5fa4d3d56cf5318ca7303f602f88ae13462e6b 100644 (file)
--- a/lib/ldb/common/attrib_handlers.c
+++ b/lib/ldb/common/attrib_handlers.c
@@ -335,8 +335,8 @@ int ldb_comparison_fold(struct ldb_context *ldb, void *mem_ctx,
                if (toupper((unsigned char)*s1) != toupper((unsigned char)*s2))
                        break;
                if (*s1 == ' ') {
-                       while (n1 && s1[0] == s1[1]) { s1++; n1--; }
-                       while (n2 && s2[0] == s2[1]) { s2++; n2--; }
+                       while (n1 > 1 && s1[0] == s1[1]) { s1++; n1--; }
+                       while (n2 > 1 && s2[0] == s2[1]) { s2++; n2--; }
                }
                s1++; s2++;
                n1--; n2--;