lsm/mdbtools
1
0
Fork 0
mirror of https://github.com/mdbtools/mdbtools.git synced 2025-04-05 20:31:00 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

Fix null-ptr deref when table->map_sz is 0

Browse Source 
The oss-fuzz/36187 attached
clusterfuzz-testcase-minimized-fuzz_mdb-4756071066501120
has a table with a map_sz of 0 and the g_memdup2 call returns NULL for
this, while mdb_map_find_next unconditionally derefs table->usage_map
to read the first byte which contains the map-type.

This leads to a NULL-ptr deref (at least with -fsanitize=address builds),
fix this by rejecting tables with a map_sz of 0.

Note this does NOT fix the original problem reported in oss-fuzz/36187
which reports a "Dynamic-stack-buffer-overflow WRITE 16" issue, which
I've been unable to reproduce.
This commit is contained in:
Hans de Goede 2022-01-25 14:52:03 +01:00
parent ab9e4088a9
commit 4febc7b5c6
1 changed files with 6 additions and 0 deletions

6
src/libmdb/table.c
View File

@ -92,6 +92,12 @@ MdbTableDef *mdb_read_table(MdbCatalogEntry *entry)
mdb_free_tabledef(table);
return NULL;
}
/* First byte of usage_map is the map-type and must always be present */
if (table->map_sz < 1) {
fprintf(stderr, "mdb_read_table: invalid map-size: %zu\n", table->map_sz);
mdb_free_tabledef(table);
return NULL;
}
table->usage_map = g_memdup2((char*)buf + row_start, table->map_sz);
if (mdb_get_option(MDB_DEBUG_USAGE))
mdb_buffer_dump(buf, row_start, table->map_sz);