From fbd4a5f38cc6e57b8c7caada5e3902ef0cb1ccdd Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Thu, 12 Apr 2018 14:45:28 -0400
Subject: [PATCH] CVE-2018-1089 - crash in long search filter

---
 ldap/servers/slapd/util.c | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

diff --git a/ldap/servers/slapd/util.c b/ldap/servers/slapd/util.c
index 8c0b7eef9..e7cc4e353 100644
--- a/ldap/servers/slapd/util.c
+++ b/ldap/servers/slapd/util.c
@@ -148,6 +148,11 @@ do_escape_string (
 		    break;
 		}
 		do {
+                    if (bufSpace < 4) {
+                        memcpy(bufNext, "..", 2);
+                        bufNext += 2;
+                        goto bail;
+                    }
 		    if (esc == UTIL_ESCAPE_BACKSLASH) {
 			/* *s is '\\' */
 			/* If *(s+1) and *(s+2) are both hex digits,
@@ -161,14 +166,11 @@ do_escape_string (
 			    *bufNext++ = *s; --bufSpace;
 			}
 		    } else {    /* UTIL_ESCAPE_HEX */
-			*bufNext++ = '\\'; --bufSpace;
-			if (bufSpace < 3) {
-			    memcpy(bufNext, "..", 2);
-			    bufNext += 2;
-			    goto bail;
-			}
-			PR_snprintf(bufNext, 3, "%02x", *(unsigned char*)s);
-			bufNext += 2; bufSpace -= 2;
+			*bufNext++ = '\\';
+                        --bufSpace;
+                        PR_snprintf(bufNext, 3, "%02x", *(unsigned char*)s);
+                        bufNext += 2;
+                        bufSpace -= 2;
 		    }
 	        } while (++s <= last && 
                          (esc = (*special)((unsigned char)*s)));
-- 
2.13.6