From b38a85fd90dacf9de8e3fa19e2a77eb9efded347 Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Fri, 17 Dec 2004 10:35:23 +0000
Subject: [PATCH] Import ITS#3420 fix from HEAD (also #3404, #3296)

---
 CHANGES                   | 1 +
 servers/slapd/sl_malloc.c | 3 ++-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/CHANGES b/CHANGES
index cc8c2daeaf..0f0a6212aa 100644
--- a/CHANGES
+++ b/CHANGES
@@ -3,6 +3,7 @@ OpenLDAP 2.2 Change Log
 OpenLDAP 2.2.20 Engineering
 	Fixed slapd sanity check on protocol in authz-regexp URI (ITS#3411)
 	Fixed slapd ID to DN mapping when values need DN escaping (ITS#3419)
+	Fixed slapd sl_realloc memory overrun (ITS#3420, #3404, #3296)
 	Fixed back-bdb locks in backend_group (ITS#3263, #3365)
 	Fixed back-sql segfault when logging and delete_rule is NULL (ITS#3407)
 	Build Environment
diff --git a/servers/slapd/sl_malloc.c b/servers/slapd/sl_malloc.c
index 21afb52307..da0b49390b 100644
--- a/servers/slapd/sl_malloc.c
+++ b/servers/slapd/sl_malloc.c
@@ -195,7 +195,8 @@ sl_realloc( void *ptr, ber_len_t size, void *ctx )
 		new = p;
 	
 	/* If reallocing the last block, we can grow it */
-	} else if ( (char *)ptr + p[-1] == sh->h_last ) {
+	} else if ( (char *)ptr + p[-1] == sh->h_last &&
+		(char *)ptr + size < (char *)sh->h_end ) {
 		new = p;
 		sh->h_last = (char *) sh->h_last + size - p[-1];
 		p[-1] = size;
-- 
2.39.5