From 6911387d3f33136a676df495ad069165bd7d9eea Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Tue, 4 Jul 2017 15:46:49 +0200
Subject: [PATCH 1/3] ldb: Fix index out of bound in ldb_msg_find_common_values

cmocka unit test failed on i386
[==========] Running 2 test(s).
[ RUN      ] test_ldb_msg_find_duplicate_val
[       OK ] test_ldb_msg_find_duplicate_val
[ RUN      ] test_ldb_msg_find_common_values
[  FAILED  ] test_ldb_msg_find_common_values
[==========] 2 test(s) run.
[  ERROR   ] --- 0x14 != 0
[   LINE   ] --- ../tests/ldb_msg.c:266: error: Failure!
[  PASSED  ] 1 test(s).
[  FAILED  ] 1 test(s), listed below:
[  FAILED  ] test_ldb_msg_find_common_values
 1 FAILED TEST(S)

But we were just lucky on other platforms because there is
index out of bound according to valgrind error.

==3298== Invalid read of size 4
==3298==    at 0x486FCF6: ldb_val_cmp (ldb_msg.c:95)
==3298==    by 0x486FCF6: ldb_msg_find_common_values (ldb_msg.c:266)
==3298==    by 0x109A3D: test_ldb_msg_find_common_values (ldb_msg.c:265)
==3298==    by 0x48E7490: ??? (in /usr/lib/libcmocka.so.0.4.1)
==3298==    by 0x48E7EB0: _cmocka_run_group_tests (in /usr/lib/libcmocka.so.0.4.1)
==3298==    by 0x1089B7: main (ldb_msg.c:352)
==3298==  Address 0x4b07734 is 4 bytes after a block of size 48 alloc'd
==3298==    at 0x483223E: malloc (vg_replace_malloc.c:299)
==3298==    by 0x4907AA7: _talloc_array (in /usr/lib/libtalloc.so.2.1.9)
==3298==    by 0x486FBF8: ldb_msg_find_common_values (ldb_msg.c:245)
==3298==    by 0x109A3D: test_ldb_msg_find_common_values (ldb_msg.c:265)
==3298==    by 0x48E7490: ??? (in /usr/lib/libcmocka.so.0.4.1)
==3298==    by 0x48E7EB0: _cmocka_run_group_tests (in /usr/lib/libcmocka.so.0.4.1)
==3298==    by 0x1089B7: main (ldb_msg.c:352)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12900

Signed-off-by: Lukas Slebodnik <lslebodn@redhat.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 963d9f12f902ae266a8c7edbf4249090de46173b)
---
 lib/ldb/common/ldb_msg.c | 10 +---------
 1 file changed, 1 insertion(+), 9 deletions(-)

diff --git a/lib/ldb/common/ldb_msg.c b/lib/ldb/common/ldb_msg.c
index abad5a8..8e4047b 100644
--- a/lib/ldb/common/ldb_msg.c
+++ b/lib/ldb/common/ldb_msg.c
@@ -262,20 +262,12 @@ int ldb_msg_find_common_values(struct ldb_context *ldb,
 	n_values = el->num_values;
 	i = 0;
 	j = 0;
-	while (i != n_values) {
+	while (i != n_values && j < el2->num_values) {
 		int ret = ldb_val_cmp(&values[i], &values2[j]);
 		if (ret < 0) {
 			i++;
 		} else if (ret > 0) {
 			j++;
-			if (j == el2->num_values) {
-				/*
-				  We have walked past the end of the second
-				  list, meaning the remainder of the first
-				  list cannot collide and we're done.
-				*/
-				break;
-			}
 		} else {
 			/* we have a collision */
 			if (! remove_duplicates) {
-- 
2.7.4