From 5aff08bf10398f3a4ebbf643165bfc2c661ff08b Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Thu, 26 Oct 2017 08:28:46 -0400
Subject: [PATCH] Ticket 48894 - harden valueset_array_to_sorted_quick valueset
 access

Description:  It's possible during the sorting of a valueset to access an
              array element past the allocated size, and also go below the index 0.

https://pagure.io/389-ds-base/issue/48894

Reviewed by: ?
---
 ldap/servers/slapd/valueset.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ldap/servers/slapd/valueset.c b/ldap/servers/slapd/valueset.c
index dc0360738..f980bbddd 100644
--- a/ldap/servers/slapd/valueset.c
+++ b/ldap/servers/slapd/valueset.c
@@ -1019,11 +1019,11 @@ valueset_array_to_sorted_quick(const Slapi_Attr *a, Slapi_ValueSet *vs, size_t l
     while (1) {
         do {
             i++;
-        } while (valueset_value_cmp(a, vs->va[vs->sorted[i]], vs->va[pivot]) < 0);
+        } while (i < vs->max && valueset_value_cmp(a, vs->va[vs->sorted[i]], vs->va[pivot]) < 0);
 
         do {
             j--;
-        } while (valueset_value_cmp(a, vs->va[vs->sorted[j]], vs->va[pivot]) > 0);
+        } while (j >= 0 && valueset_value_cmp(a, vs->va[vs->sorted[j]], vs->va[pivot]) > 0);
 
         if (i >= j) {
             break;
-- 
2.13.6