https://bugs.openldap.org/show_bug.cgi?id=9583
Issue ID: 9583 Summary: possible memory corruption in avl_buildlist Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: libraries Assignee: bugs@openldap.org Reporter: grapvar@gmail.com Target Milestone: ---
In the excerpt below: if avl_maxlist is large enough then address
(NULL + avl_maxlist * sizeof(pointer))
may be mapped into the address space. If ber_memrealloc fails, avl_list[avl_maxlist]=… will corrupt program state before it eventually crash.
libraries/libldap/avl.c:
static int slots; static int avl_buildlist( void* data, … ) { if ( avl_list == 0 ) { slots = 100; avl_list = ber_memalloc(100 * sizeof(void*)); … } else if ( avl_maxlist == slots ) { slots += 100; avl_list = ber_memrealloc( avl_list, slots * sizeof(void*)); … } avl_list[ avl_maxlist++ ] = data;
Be advised please that this issue has been reported by accidental visitor, from a developer point of view, not a user point of view, so I won't define, provide or construct any “valid use case”.