ITS#4467: Fix ptr += snprintf buffer overflow tests (made out-of-range ptr).

Also avoid a buf[BUFSIZ] initialization.

diff --git a/libraries/libldap/search.c b/libraries/libldap/search.c
index d92a8bcd1a0f9d598c27beac8f7b59293834b121..b3a8ddb10e5da38a2545a90f4a03867de869daf4 100644 (file)
--- a/libraries/libldap/search.c
+++ b/libraries/libldap/search.c
@@ -301,27 +301,25 @@ ldap_build_search_req(
 
 #ifdef LDAP_DEBUG
        if ( ldap_debug & LDAP_DEBUG_ARGS ) {
-               char    buf[ BUFSIZ ] = { ' ', '*', '\0' };
+               char    buf[ BUFSIZ ], *ptr = " *";
 
                if ( attrs != NULL ) {
-                       char    *ptr;
-                       int     i;
-
-                       for ( ptr = buf, i = 0;
-                               attrs[ i ] != NULL && ptr < &buf[ sizeof( buf ) ];
-                               i++ )
-                       {
-                               ptr += snprintf( ptr, sizeof( buf ) - ( ptr - buf ),
-                                       " %s", attrs[ i ] );
+                       int     i, len, rest = sizeof( buf );
+
+                       for ( i = 0; attrs[ i ] != NULL && rest > 0; i++ ) {
+                               ptr = &buf[ sizeof( buf ) - rest ];
+                               len = snprintf( ptr, rest, " %s", attrs[ i ] );
+                               rest -= (len >= 0 ? len : (int) sizeof( buf ));
                        }
 
-                       if ( ptr >= &buf[ sizeof( buf ) ] ) {
+                       if ( rest <= 0 ) {
                                AC_MEMCPY( &buf[ sizeof( buf ) - STRLENOF( "...(truncated)" ) - 1 ],
                                        "...(truncated)", STRLENOF( "...(truncated)" ) + 1 );
                        } 
+                       ptr = buf;
                }
 
-               Debug( LDAP_DEBUG_ARGS, "ldap_build_search_req ATTRS:%s\n", buf, 0, 0 );
+               Debug( LDAP_DEBUG_ARGS, "ldap_build_search_req ATTRS:%s\n", ptr, 0,0 );
        }
 #endif /* LDAP_DEBUG */