From ab099caed5fbb6f603f2d6ebe68cba95279f13b3 Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Wed, 13 Feb 2002 09:59:10 +0000
Subject: [PATCH] ber_get_next: return error if decoded ber_len is smaller than
 actual count

---
 libraries/liblber/io.c | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/libraries/liblber/io.c b/libraries/liblber/io.c
index bde7ce3055..4a687de483 100644
--- a/libraries/liblber/io.c
+++ b/libraries/liblber/io.c
@@ -548,6 +548,15 @@ ber_get_next(
 		}
 
 		if (ber->ber_buf==NULL) {
+			ber_len_t l = ber->ber_rwptr - ber->ber_ptr;
+			/* ber->ber_ptr is always <= ber->ber->ber_rwptr.
+			 * make sure ber->ber_len agrees with what we've
+			 * already read.
+			 */
+			if ( ber->ber_len < i + l ) {
+				errno = ERANGE;
+				return LBER_DEFAULT;
+			}
 			ber->ber_buf = (char *) LBER_MALLOC( ber->ber_len + 1 );
 			if (ber->ber_buf==NULL) {
 				return LBER_DEFAULT;
@@ -556,10 +565,9 @@ ber_get_next(
 			if (i) {
 				AC_MEMCPY(ber->ber_buf, buf, i);
 			}
-			if (ber->ber_ptr < ber->ber_rwptr) {
-				AC_MEMCPY(ber->ber_buf + i, ber->ber_ptr, ber->ber_rwptr-
-					ber->ber_ptr);
-				i += ber->ber_rwptr - ber->ber_ptr;
+			if (l > 0) {
+				AC_MEMCPY(ber->ber_buf + i, ber->ber_ptr, l);
+				i += l;
 			}
 			ber->ber_ptr = ber->ber_buf;
 			ber->ber_usertag = 0;
-- 
2.39.2