From 056d75cd59c38c53459d78f121cbae42fce2b003 Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: May 08 2018 14:54:43 +0000
Subject: CVE-2018-1089 - Crash from long search filter


Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
(cherry picked from commit 9d8d096b154e44f3e1fa1f8d5bfe258ed8d9dc51)

---

diff --git a/ldap/servers/slapd/filter.c b/ldap/servers/slapd/filter.c
index 2ac3d2c..393a4dc 100644
--- a/ldap/servers/slapd/filter.c
+++ b/ldap/servers/slapd/filter.c
@@ -472,7 +472,7 @@ get_substring_filter(
             f->f_sub_initial = val;
             eval = (char *)slapi_escape_filter_value(val, -1);
             if (eval) {
-                if (fstr_len < strlen(*fstr) + strlen(eval) + 1) {
+                if (fstr_len <= strlen(*fstr) + strlen(eval) + 1) {
                     fstr_len += (strlen(eval) + 1) * 2;
                     *fstr = slapi_ch_realloc(*fstr, fstr_len);
                 }
@@ -486,7 +486,7 @@ get_substring_filter(
             charray_add(&f->f_sub_any, val);
             eval = (char *)slapi_escape_filter_value(val, -1);
             if (eval) {
-                if (fstr_len < strlen(*fstr) + strlen(eval) + 1) {
+                if (fstr_len <= strlen(*fstr) + strlen(eval) + 1) {
                     fstr_len += (strlen(eval) + 1) * 2;
                     *fstr = slapi_ch_realloc(*fstr, fstr_len);
                 }
@@ -504,7 +504,7 @@ get_substring_filter(
             f->f_sub_final = val;
             eval = (char *)slapi_escape_filter_value(val, -1);
             if (eval) {
-                if (fstr_len < strlen(*fstr) + strlen(eval) + 1) {
+                if (fstr_len <= strlen(*fstr) + strlen(eval) + 1) {
                     fstr_len += (strlen(eval) + 1) * 2;
                     *fstr = slapi_ch_realloc(*fstr, fstr_len);
                 }
@@ -530,7 +530,7 @@ get_substring_filter(
     }
 
     filter_compute_hash(f);
-    if (fstr_len < strlen(*fstr) + 3) {
+    if (fstr_len <= strlen(*fstr) + 3) {
         fstr_len += 3;
         *fstr = slapi_ch_realloc(*fstr, fstr_len);
     }
diff --git a/ldap/servers/slapd/util.c b/ldap/servers/slapd/util.c
index ddb2cc8..cb46efb 100644
--- a/ldap/servers/slapd/util.c
+++ b/ldap/servers/slapd/util.c
@@ -161,6 +161,11 @@ do_escape_string(
                     break;
                 }
                 do {
+                    if (bufSpace < 4) {
+                        memcpy(bufNext, "..", 2);
+                        bufNext += 2;
+                        goto bail;
+                    }
                     if (esc == UTIL_ESCAPE_BACKSLASH) {
                         /* *s is '\\' */
                         /* If *(s+1) and *(s+2) are both hex digits,
@@ -179,11 +184,6 @@ do_escape_string(
                             *bufNext++ = '\\';
                             --bufSpace;
                         }
-                        if (bufSpace < 3) {
-                            memcpy(bufNext, "..", 2);
-                            bufNext += 2;
-                            goto bail;
-                        }
                         PR_snprintf(bufNext, 3, "%02x", *(unsigned char *)s);
                         bufNext += 2;
                         bufSpace -= 2;