s3/lib: don't write to buffer (which might be NULL) if bufsize <=0

Some code depends that tdb_pack[va] will return the bytes it would
write to 'buf' if the bufsize passed in is <=0, writing to the
buffer is protected by with lines like
   if (bufsize && bufsize >= len) {
      /* write to 'buf' */
   }

however in these instances the local pointer to the buffer is still
modified
   buf += len;

It's quite probable if bufsize == 0 that buf itself is NULL,
in this case we should protect against performing pointer arithmetic.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andreas Schneider <asn@samba.org>

diff --git a/source3/lib/util_tdb.c b/source3/lib/util_tdb.c
index 0d1532193d444584ca38026b45120425872cba85..943847f04a3dee242af3358c915fa098c5d64b16 100644 (file)
--- a/source3/lib/util_tdb.c
+++ b/source3/lib/util_tdb.c
@@ -44,10 +44,9 @@ static size_t tdb_pack_va(uint8_t *buf, int bufsize, const char *fmt, va_list ap
        int len = 0;
        char *s;
        char c;
-       uint8_t *buf0 = buf;
        const char *fmt0 = fmt;
        int bufsize0 = bufsize;
-
+       size_t to_write = 0;
        while (*fmt) {
                switch ((c = *fmt++)) {
                case 'b': /* unsigned 8-bit integer */
@@ -104,17 +103,19 @@ static size_t tdb_pack_va(uint8_t *buf, int bufsize, const char *fmt, va_list ap
                        break;
                }
 
-               buf += len;
-               if (bufsize)
+               to_write += len;
+               if (bufsize > 0) {
                        bufsize -= len;
+                       buf += len;
+               }
                if (bufsize < 0)
                        bufsize = 0;
        }
 
        DEBUG(18,("tdb_pack_va(%s, %d) -> %d\n", 
-                fmt0, bufsize0, (int)PTR_DIFF(buf, buf0)));
+                fmt0, bufsize0, (int)to_write));
 
-       return PTR_DIFF(buf, buf0);
+       return to_write;
 }
 
 size_t tdb_pack(uint8_t *buf, int bufsize, const char *fmt, ...)