From: Howard Chu Date: Wed, 6 Sep 2017 20:15:48 +0000 (+0100) Subject: ITS#8722 fix FIRST_DUP/LAST_DUP cursor bounds check X-Git-Tag: LMDB_0.9.22~7 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=98b2910ee89e9fbc6c2df00d3dd35aeca7b86daf;p=openldap ITS#8722 fix FIRST_DUP/LAST_DUP cursor bounds check --- diff --git a/libraries/liblmdb/mdb.c b/libraries/liblmdb/mdb.c index bc0ed354ff..b47cb53a2c 100644 --- a/libraries/liblmdb/mdb.c +++ b/libraries/liblmdb/mdb.c @@ -6426,6 +6426,11 @@ fetchm: rc = MDB_INCOMPATIBLE; break; } + if (mc->mc_ki[mc->mc_top] >= NUMKEYS(mc->mc_pg[mc->mc_top])) { + mc->mc_ki[mc->mc_top] = NUMKEYS(mc->mc_pg[mc->mc_top]); + rc = MDB_NOTFOUND; + break; + } { MDB_node *leaf = NODEPTR(mc->mc_pg[mc->mc_top], mc->mc_ki[mc->mc_top]); if (!F_ISSET(leaf->mn_flags, F_DUPDATA)) { @@ -7080,6 +7085,7 @@ mdb_cursor_del(MDB_cursor *mc, unsigned int flags) if (!(m2->mc_flags & C_INITIALIZED)) continue; if (m2->mc_pg[mc->mc_top] == mp) { MDB_node *n2 = leaf; + if (m2->mc_ki[mc->mc_top] >= NUMKEYS(mp)) continue; if (m2->mc_ki[mc->mc_top] != mc->mc_ki[mc->mc_top]) { n2 = NODEPTR(mp, m2->mc_ki[mc->mc_top]); if (n2->mn_flags & F_SUBDATA) continue;