ITS#479 fix: ber_put_seqorset() writes a few bytes beyond an allocated buffer

Commit based upon patch and comments provided by Alan Clark <aclark@novell.com>.
> Kudos to Dave Steck for the find and fix

libraries/liblber/encode.c

@@ -581,6 +581,21 @@ ber_put_seqorset( BerElement *ber )
 		unsigned char nettag[sizeof(ber_tag_t)];
 		ber_tag_t tmptag = (*sos)->sos_tag;
 
+		if( ber->ber_sos->sos_ptr > ber->ber_end ) {
+			/* The sos_ptr exceeds the end of the BerElement
+			 * this can happen, for example, when the sos_ptr
+			 * is near the end and no data was written for the
+			 * 'V'.  We must realloc the BerElement to ensure
+			 * we don't overwrite the buffer when writing
+			 * the tag and length fields.
+			 */
+			ber_len_t ext = ber->ber_sos->sos_ptr - ber->ber_end;
+
+			if( ber_realloc( ber,  ext ) != 0 ) {
+				return -1;
+			}
+		}
+
 		/* the tag */
 		taglen = ber_calc_taglen( tmptag );
 

libraries/liblber/io.c

@@ -39,10 +39,6 @@ static ber_slen_t BerRead LDAP_P((
 	char *buf,
 	ber_len_t len ));
 
-static int ber_realloc LDAP_P((
-	BerElement *ber,
-	ber_len_t len ));
-
 #define EXBUFSIZ	1024
 
 /* probably far too large... */
@@ -137,7 +133,7 @@ ber_write(
 	}
 }
 
-static int
+int
 ber_realloc( BerElement *ber, ber_len_t len )
 {
 	ber_len_t	need, have, total;

libraries/liblber/lber-int.h

@@ -175,6 +175,13 @@ struct seqorset {
 };
 
 
+/*
+ * io.c
+ */
+int ber_realloc LDAP_P((
+	BerElement *ber,
+	ber_len_t len ));
+
 /*
  * bprint.c
  */