Import ITS#3420 fix from HEAD (also #3404, #3296)

diff --git a/CHANGES b/CHANGES
index cc8c2daeafaeead38f0e59e3151639895f1f77e0..0f0a6212aa05e613a77df529181fbe893cff27c6 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -3,6 +3,7 @@ OpenLDAP 2.2 Change Log
 OpenLDAP 2.2.20 Engineering
        Fixed slapd sanity check on protocol in authz-regexp URI (ITS#3411)
        Fixed slapd ID to DN mapping when values need DN escaping (ITS#3419)
+       Fixed slapd sl_realloc memory overrun (ITS#3420, #3404, #3296)
        Fixed back-bdb locks in backend_group (ITS#3263, #3365)
        Fixed back-sql segfault when logging and delete_rule is NULL (ITS#3407)
        Build Environment

diff --git a/servers/slapd/sl_malloc.c b/servers/slapd/sl_malloc.c
index 21afb5230701dcc81d533c7d3f1c44349291e17f..da0b49390b412ffb7e3c5534abfbd67ceacb4cb1 100644 (file)
--- a/servers/slapd/sl_malloc.c
+++ b/servers/slapd/sl_malloc.c
@@ -195,7 +195,8 @@ sl_realloc( void *ptr, ber_len_t size, void *ctx )
                new = p;
        
        /* If reallocing the last block, we can grow it */
-       } else if ( (char *)ptr + p[-1] == sh->h_last ) {
+       } else if ( (char *)ptr + p[-1] == sh->h_last &&
+               (char *)ptr + size < (char *)sh->h_end ) {
                new = p;
                sh->h_last = (char *) sh->h_last + size - p[-1];
                p[-1] = size;