From 86906501215e8f06f90c1af7f2731fa62c749d06 Mon Sep 17 00:00:00 2001
From: Hallvard Furuseth <hallvard@openldap.org>
Date: Fri, 24 Oct 2008 13:11:10 +0000
Subject: [PATCH] ITS#4467: Fix ptr += snprintf buffer overflow tests (made
 out-of-range ptr). Also avoid a buf[BUFSIZ] initialization.

---
 libraries/libldap/search.c | 22 ++++++++++------------
 1 file changed, 10 insertions(+), 12 deletions(-)

diff --git a/libraries/libldap/search.c b/libraries/libldap/search.c
index d92a8bcd1a..b3a8ddb10e 100644
--- a/libraries/libldap/search.c
+++ b/libraries/libldap/search.c
@@ -301,27 +301,25 @@ ldap_build_search_req(
 
 #ifdef LDAP_DEBUG
 	if ( ldap_debug & LDAP_DEBUG_ARGS ) {
-		char	buf[ BUFSIZ ] = { ' ', '*', '\0' };
+		char	buf[ BUFSIZ ], *ptr = " *";
 
 		if ( attrs != NULL ) {
-			char	*ptr;
-			int	i;
-
-			for ( ptr = buf, i = 0;
-				attrs[ i ] != NULL && ptr < &buf[ sizeof( buf ) ];
-				i++ )
-			{
-				ptr += snprintf( ptr, sizeof( buf ) - ( ptr - buf ),
-					" %s", attrs[ i ] );
+			int	i, len, rest = sizeof( buf );
+
+			for ( i = 0; attrs[ i ] != NULL && rest > 0; i++ ) {
+				ptr = &buf[ sizeof( buf ) - rest ];
+				len = snprintf( ptr, rest, " %s", attrs[ i ] );
+				rest -= (len >= 0 ? len : (int) sizeof( buf ));
 			}
 
-			if ( ptr >= &buf[ sizeof( buf ) ] ) {
+			if ( rest <= 0 ) {
 				AC_MEMCPY( &buf[ sizeof( buf ) - STRLENOF( "...(truncated)" ) - 1 ],
 					"...(truncated)", STRLENOF( "...(truncated)" ) + 1 );
 			} 
+			ptr = buf;
 		}
 
-		Debug( LDAP_DEBUG_ARGS, "ldap_build_search_req ATTRS:%s\n", buf, 0, 0 );
+		Debug( LDAP_DEBUG_ARGS, "ldap_build_search_req ATTRS:%s\n", ptr, 0,0 );
 	}
 #endif /* LDAP_DEBUG */
 
-- 
2.39.5