From 6295b60676dd1edd12226bea40a0a6127ff95be8 Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Thu, 6 Oct 2011 14:05:31 -0700
Subject: [PATCH] Fix UTF8StringNormalize overrun on zero-length string

Detected by valgrind
---
 servers/slapd/schema_init.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c
index 67508fc..56d690b 100644
--- a/servers/slapd/schema_init.c
+++ b/servers/slapd/schema_init.c
@@ -1852,7 +1852,7 @@ UTF8StringNormalize(
 		}
 		nvalue.bv_val[nvalue.bv_len] = '\0';
 
-	} else {
+	} else if ( nvalue.bv_len )  {
 		/* string of all spaces is treated as one space */
 		nvalue.bv_val[0] = ' ';
 		nvalue.bv_val[1] = '\0';
-- 
1.7.4.2

From: Howard Chu <hyc@openldap.org>
Date: Thu, 6 Oct 2011 22:22:40 +0000 (-0700)
Subject: ITS#7059 replace previous patch
X-Git-Tag: OPENLDAP_REL_ENG_2_4_27~230
X-Git-Url: http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commitdiff_plain;h=e75c8720191c12db55ab2342fc8f560011c591b8

ITS#7059 replace previous patch

Bug was caused by postalAddressNormalize sending 0-length values
to UTF8StringNormalize.
---

diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c
index 56d690b..65a7e2e 100644
--- a/servers/slapd/schema_init.c
+++ b/servers/slapd/schema_init.c
@@ -1852,12 +1852,12 @@ UTF8StringNormalize(
 		}
 		nvalue.bv_val[nvalue.bv_len] = '\0';
 
-	} else if ( nvalue.bv_len )  {
+	} else if ( tmp.bv_len )  {
 		/* string of all spaces is treated as one space */
 		nvalue.bv_val[0] = ' ';
 		nvalue.bv_val[1] = '\0';
 		nvalue.bv_len = 1;
-	}
+	}	/* should never be entered with 0-length val */
 
 	*normalized = nvalue;
 	return LDAP_SUCCESS;
@@ -2331,13 +2331,18 @@ postalAddressNormalize(
 	}
 	lines[l].bv_len = &val->bv_val[c] - lines[l].bv_val;
 
-	normalized->bv_len = l;
+	normalized->bv_len = c = l;
 
-	for ( l = 0; !BER_BVISNULL( &lines[l] ); l++ ) {
+	for ( l = 0; l <= c; l++ ) {
 		/* NOTE: we directly normalize each line,
 		 * without unescaping the values, since the special
 		 * values '\24' ('$') and '\5C' ('\') are not affected
 		 * by normalization */
+		if ( !lines[l].bv_len ) {
+			nlines[l].bv_len = 0;
+			nlines[l].bv_val = NULL;
+			continue;
+		}
 		rc = UTF8StringNormalize( usage, NULL, xmr, &lines[l], &nlines[l], ctx );
 		if ( rc != LDAP_SUCCESS ) {
 			rc = LDAP_INVALID_SYNTAX;
@@ -2350,7 +2355,7 @@ postalAddressNormalize(
 	normalized->bv_val = slap_sl_malloc( normalized->bv_len + 1, ctx );
 
 	p = normalized->bv_val;
-	for ( l = 0; !BER_BVISNULL( &nlines[l] ); l++ ) {
+	for ( l = 0; l <= c ; l++ ) {
 		p = lutil_strbvcopy( p, &nlines[l] );
 		*p++ = '$';
 	}