buffer owerflow in the function parseVariant

[DmitriyFedin]

389-ds-base/ldap/servers/slapd/tools/ldclt/parser.c

Lines 144 to 157 in b0fc468

	if ((variant[0] < VAR_MIN) || (variant[0] > VAR_MAX)) {
	fprintf(stderr, "Error: bad variable in %s : \"%s\"\n", fname, line);
	fprintf(stderr, "Error: must be in [%c-%c]\n", VAR_MIN, VAR_MAX);
	return (-1);
	}
	field->var = variant[0] - VAR_MIN;
	variant++; /* Skip variable name */
	variant++; /* Skip '=' */
	/*
	* We need a variable !
	*/
	if (obj->var[field->var] == NULL)
	obj->var[field->var] = (char *)safe_malloc(MAX_FILTER);

In this case, the variable variant0 can reach a maximum value of 72.

The expression var = variant0 - VAR_MIN; calculates the difference between variant0 and a constant VAR_MIN, resulting in a value of 7 in this specific example.
Attempting to access the array using the calculated index 7 would lead to an out-of-bounds access, causing an array overflow.

Package Version and Platform:

• Platform: ALT Linux 10
• Package and version: main

Additional context
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Reporter: Dmitriy Fedin ([email protected]).
Organization: Fobos-NT ([email protected]).