ITS#8722 fix FIRST_DUP/LAST_DUP cursor bounds check

[openldap] / libraries / liblmdb / mdb.c

diff --git a/libraries/liblmdb/mdb.c b/libraries/liblmdb/mdb.c
index 2c3438346183c66c67b4ae863d854a4c0fbab371..b47cb53a2ce1082c900437ec853db4c1c58b2b31 100644 (file)
--- a/libraries/liblmdb/mdb.c
+++ b/libraries/liblmdb/mdb.c
@@ -113,6 +113,10 @@ typedef SSIZE_T    ssize_t;
 /* Most platforms have posix_memalign, older may only have memalign */
 #define HAVE_MEMALIGN  1
 #include <malloc.h>
+/* On Solaris, we need the POSIX sigwait function */
+#if defined (__sun)
+# define _POSIX_PTHREAD_SEMANTICS      1
+#endif
 #endif
 
 #if !(defined(BYTE_ORDER) || defined(__BYTE_ORDER))
@@ -6346,16 +6350,9 @@ mdb_cursor_get(MDB_cursor *mc, MDB_val *key, MDB_val *data,
                        break;
                }
                rc = MDB_SUCCESS;
-               if (!(mc->mc_xcursor->mx_cursor.mc_flags & C_INITIALIZED))
+               if (!(mc->mc_xcursor->mx_cursor.mc_flags & C_INITIALIZED) ||
+                       (mc->mc_xcursor->mx_cursor.mc_flags & C_EOF))
                        break;
-               if (mc->mc_xcursor->mx_cursor.mc_flags & C_EOF) {
-                       MDB_cursor *mx = &mc->mc_xcursor->mx_cursor;
-                       if (mx->mc_ki[mx->mc_top] >= NUMKEYS(mx->mc_pg[mx->mc_top])-1) {
-                               rc = MDB_NOTFOUND;
-                               break;
-                       }
-                       mx->mc_flags ^= C_EOF;
-               }
                goto fetchm;
        case MDB_NEXT_MULTIPLE:
                if (data == NULL) {
@@ -6429,6 +6426,11 @@ fetchm:
                        rc = MDB_INCOMPATIBLE;
                        break;
                }
+               if (mc->mc_ki[mc->mc_top] >= NUMKEYS(mc->mc_pg[mc->mc_top])) {
+                       mc->mc_ki[mc->mc_top] = NUMKEYS(mc->mc_pg[mc->mc_top]);
+                       rc = MDB_NOTFOUND;
+                       break;
+               }
                {
                        MDB_node *leaf = NODEPTR(mc->mc_pg[mc->mc_top], mc->mc_ki[mc->mc_top]);
                        if (!F_ISSET(leaf->mn_flags, F_DUPDATA)) {
@@ -7083,6 +7085,7 @@ mdb_cursor_del(MDB_cursor *mc, unsigned int flags)
                                                if (!(m2->mc_flags & C_INITIALIZED)) continue;
                                                if (m2->mc_pg[mc->mc_top] == mp) {
                                                        MDB_node *n2 = leaf;
+                                                       if (m2->mc_ki[mc->mc_top] >= NUMKEYS(mp)) continue;
                                                        if (m2->mc_ki[mc->mc_top] != mc->mc_ki[mc->mc_top]) {
                                                                n2 = NODEPTR(mp, m2->mc_ki[mc->mc_top]);
                                                                if (n2->mn_flags & F_SUBDATA) continue;
@@ -8458,15 +8461,20 @@ mdb_cursor_del0(MDB_cursor *mc)
                                        }
                                        if (mc->mc_db->md_flags & MDB_DUPSORT) {
                                                MDB_node *node = NODEPTR(m3->mc_pg[m3->mc_top], m3->mc_ki[m3->mc_top]);
-                                               /* If this node is a fake page, it needs to be reinited
-                                                * because its data has moved. But just reset mc_pg[0]
-                                                * if the xcursor is already live.
+                                               /* If this node has dupdata, it may need to be reinited
+                                                * because its data has moved.
+                                                * If the xcursor was not initd it must be reinited.
+                                                * Else if node points to a subDB, nothing is needed.
+                                                * Else (xcursor was initd, not a subDB) needs mc_pg[0] reset.
                                                 */
-                                               if ((node->mn_flags & (F_DUPDATA|F_SUBDATA)) == F_DUPDATA) {
-                                                       if (m3->mc_xcursor->mx_cursor.mc_flags & C_INITIALIZED)
-                                                               m3->mc_xcursor->mx_cursor.mc_pg[0] = NODEDATA(node);
-                                                       else
+                                               if (node->mn_flags & F_DUPDATA) {
+                                                       if (m3->mc_xcursor->mx_cursor.mc_flags & C_INITIALIZED) {
+                                                               if (!(node->mn_flags & F_SUBDATA))
+                                                                       m3->mc_xcursor->mx_cursor.mc_pg[0] = NODEDATA(node);
+                                                       } else {
                                                                mdb_xcursor_init1(m3, node);
+                                                               m3->mc_xcursor->mx_cursor.mc_flags |= C_DEL;
+                                                       }
                                                }
                                        }
                                }
@@ -9758,8 +9766,11 @@ int mdb_dbi_open(MDB_txn *txn, const char *name, unsigned int flags, MDB_dbi *db
                MDB_node *node = NODEPTR(mc.mc_pg[mc.mc_top], mc.mc_ki[mc.mc_top]);
                if ((node->mn_flags & (F_DUPDATA|F_SUBDATA)) != F_SUBDATA)
                        return MDB_INCOMPATIBLE;
-       } else if (! (rc == MDB_NOTFOUND && (flags & MDB_CREATE))) {
-               return rc;
+       } else {
+               if (rc != MDB_NOTFOUND || !(flags & MDB_CREATE))
+                       return rc;
+               if (F_ISSET(txn->mt_flags, MDB_TXN_RDONLY))
+                       return EACCES;
        }
 
        /* Done here so we cannot fail after creating a new DB */