From ba9f9afe8b6ca8c008ac8f97c43d896e1cbc4b91 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Thu, 10 Apr 2003 19:08:42 +0000
Subject: Fix from Andrew Esh to ensure tdb_pack can't segfault. Also stop it
 leaking memory like a sieve ! Jeremy. (This used to be commit
 11b914ed84c4dbd31726969b3b924f686f938510)

---
 source3/tdb/tdbutil.c | 21 ++++++++++++---------
 1 file changed, 12 insertions(+), 9 deletions(-)

diff --git a/source3/tdb/tdbutil.c b/source3/tdb/tdbutil.c
index b153d442bd..69b282cda0 100644
--- a/source3/tdb/tdbutil.c
+++ b/source3/tdb/tdbutil.c
@@ -42,7 +42,7 @@ static void gotalarm_sig(void)
 static TDB_DATA make_tdb_data(const char *dptr, size_t dsize)
 {
 	TDB_DATA ret;
-	ret.dptr = smb_xstrdup(dptr);
+	ret.dptr = dptr;
 	ret.dsize = dsize;
 	return ret;
 }
@@ -406,47 +406,47 @@ size_t tdb_pack(char *buf, int bufsize, const char *fmt, ...)
 		case 'b': /* unsigned 8-bit integer */
 			len = 1;
 			bt = (uint8)va_arg(ap, int);
-			if (bufsize >= len)
+			if (bufsize && bufsize >= len)
 				SSVAL(buf, 0, bt);
 			break;
 		case 'w': /* unsigned 16-bit integer */
 			len = 2;
 			w = (uint16)va_arg(ap, int);
-			if (bufsize >= len)
+			if (bufsize && bufsize >= len)
 				SSVAL(buf, 0, w);
 			break;
 		case 'd': /* signed 32-bit integer (standard int in most systems) */
 			len = 4;
 			d = va_arg(ap, uint32);
-			if (bufsize >= len)
+			if (bufsize && bufsize >= len)
 				SIVAL(buf, 0, d);
 			break;
 		case 'p': /* pointer */
 			len = 4;
 			p = va_arg(ap, void *);
 			d = p?1:0;
-			if (bufsize >= len)
+			if (bufsize && bufsize >= len)
 				SIVAL(buf, 0, d);
 			break;
 		case 'P': /* null-terminated string */
 			s = va_arg(ap,char *);
 			w = strlen(s);
 			len = w + 1;
-			if (bufsize >= len)
+			if (bufsize && bufsize >= len)
 				memcpy(buf, s, len);
 			break;
 		case 'f': /* null-terminated string */
 			s = va_arg(ap,char *);
 			w = strlen(s);
 			len = w + 1;
-			if (bufsize >= len)
+			if (bufsize && bufsize >= len)
 				memcpy(buf, s, len);
 			break;
 		case 'B': /* fixed-length string */
 			i = va_arg(ap, int);
 			s = va_arg(ap, char *);
 			len = 4+i;
-			if (bufsize >= len) {
+			if (bufsize && bufsize >= len) {
 				SIVAL(buf, 0, i);
 				memcpy(buf+4, s, i);
 			}
@@ -459,7 +459,10 @@ size_t tdb_pack(char *buf, int bufsize, const char *fmt, ...)
 		}
 
 		buf += len;
-		bufsize -= len;
+		if (bufsize)
+			bufsize -= len;
+		if (bufsize < 0)
+			bufsize = 0;
 	}
 
 	va_end(ap);
-- 
cgit