From 8aaf5d071b3d9b29dd3f43d14b72b2b205f42c81 Mon Sep 17 00:00:00 2001 From: Leonid Yuriev Date: Fri, 16 Jul 2021 03:00:43 +0300 Subject: [PATCH] mdbx: fix `pagecheck()`. Added a check that the data of the BIGDATA node (containing the target page number) is located within the boundaries of the page being checked. The third case of https://github.com/erthink/libmdbx/issues/217. --- src/core.c | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/src/core.c b/src/core.c index 4e314851..1a0cdca0 100644 --- a/src/core.c +++ b/src/core.c @@ -17151,8 +17151,15 @@ __cold static int mdbx_page_check(MDBX_cursor *const mc, break; } + const size_t dsize = node_ds(node); + const char *const data = node_data(node); if (node_flags(node) & F_BIGDATA) { - const size_t dsize = node_ds(node); + if (unlikely(end_of_page < data + sizeof(pgno_t))) { + rc = bad_page( + mp, "node-%s(%u of %u, %zu bytes) beyond (%zu) page-end\n", + "bigdata-pgno", i, nkeys, dsize, data + dsize - end_of_page); + continue; + } if ((options & C_COPYING) == 0) { if (unlikely(dsize <= mc->mc_dbx->md_vlen_min || dsize > mc->mc_dbx->md_vlen_max)) @@ -17180,12 +17187,10 @@ __cold static int mdbx_page_check(MDBX_cursor *const mc, continue; } - const size_t dsize = node_ds(node); - const char *const data = node_data(node); if (unlikely(end_of_page < data + dsize)) { - rc = bad_page(mp, - "node-data(%u of %u, %zu bytes) beyond (%zu) page-end\n", - i, nkeys, dsize, data + dsize - end_of_page); + rc = + bad_page(mp, "node-%s(%u of %u, %zu bytes) beyond (%zu) page-end\n", + "data", i, nkeys, dsize, data + dsize - end_of_page); continue; }