]> git.sur5r.net Git - openldap/commitdiff
ITS#8722 fix FIRST_DUP/LAST_DUP cursor bounds check
authorHoward Chu <hyc@openldap.org>
Wed, 6 Sep 2017 20:15:48 +0000 (21:15 +0100)
committerQuanah Gibson-Mount <quanah@openldap.org>
Sun, 11 Feb 2018 20:59:28 +0000 (20:59 +0000)
libraries/liblmdb/mdb.c

index bc0ed354ffe60877359f23db84987e8a6d831ab9..b47cb53a2ce1082c900437ec853db4c1c58b2b31 100644 (file)
@@ -6426,6 +6426,11 @@ fetchm:
                        rc = MDB_INCOMPATIBLE;
                        break;
                }
+               if (mc->mc_ki[mc->mc_top] >= NUMKEYS(mc->mc_pg[mc->mc_top])) {
+                       mc->mc_ki[mc->mc_top] = NUMKEYS(mc->mc_pg[mc->mc_top]);
+                       rc = MDB_NOTFOUND;
+                       break;
+               }
                {
                        MDB_node *leaf = NODEPTR(mc->mc_pg[mc->mc_top], mc->mc_ki[mc->mc_top]);
                        if (!F_ISSET(leaf->mn_flags, F_DUPDATA)) {
@@ -7080,6 +7085,7 @@ mdb_cursor_del(MDB_cursor *mc, unsigned int flags)
                                                if (!(m2->mc_flags & C_INITIALIZED)) continue;
                                                if (m2->mc_pg[mc->mc_top] == mp) {
                                                        MDB_node *n2 = leaf;
+                                                       if (m2->mc_ki[mc->mc_top] >= NUMKEYS(mp)) continue;
                                                        if (m2->mc_ki[mc->mc_top] != mc->mc_ki[mc->mc_top]) {
                                                                n2 = NODEPTR(mp, m2->mc_ki[mc->mc_top]);
                                                                if (n2->mn_flags & F_SUBDATA) continue;