From a85e2472441a6485aec03a4cd1389765ac895332 Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Oct 26 2017 14:24:27 +0000
Subject: Ticket 48894 - harden valueset_array_to_sorted_quick valueset

 access

Description:  It's possible during the sorting of a valueset to access an
              array element past the allocated size, and also go below the index 0.

https://pagure.io/389-ds-base/issue/48894

Reviewed by: nweiderm (Thanks!)

(cherry picked from commit 2086d052e338ddcbcf6bd3222617991641573a12)

---

diff --git a/ldap/servers/slapd/valueset.c b/ldap/servers/slapd/valueset.c
index d2c67d2..ab5836f 100644
--- a/ldap/servers/slapd/valueset.c
+++ b/ldap/servers/slapd/valueset.c
@@ -984,11 +984,11 @@ valueset_array_to_sorted_quick(const Slapi_Attr *a, Slapi_ValueSet *vs, size_t l
     while (1) {
         do {
             i++;
-        } while (valueset_value_cmp(a, vs->va[vs->sorted[i]], vs->va[pivot]) < 0);
+        } while (i < vs->max && valueset_value_cmp(a, vs->va[vs->sorted[i]], vs->va[pivot]) < 0);
 
         do {
             j--;
-        } while (valueset_value_cmp(a, vs->va[vs->sorted[j]], vs->va[pivot]) > 0);
+        } while (valueset_value_cmp(a, vs->va[vs->sorted[j]], vs->va[pivot]) > 0 && j > 0);
 
         if (i >= j) {
             break;