From 05cb0449dbf27d36bd021052b681b57f769d1522 Mon Sep 17 00:00:00 2001
From: Evan Miller <emmiller@gmail.com>
Date: Wed, 4 Aug 2021 16:52:37 -0400
Subject: [PATCH 1/2] Version 0.9.4, final

---
 NEWS         | 17 +++++++++++++++++
 configure.ac |  2 +-
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/NEWS b/NEWS
index 648d1ca..b385e8e 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,20 @@
+Version 0.9.4
+=============
+
+libmdb:
+* Write encrypted pages #305
+* Improved support for big-endian platforms
+* Remove obsolete `AC_HEADER_STDC` macro from configure.ac
+
+SQL:
+* Fix compilation on RHEL 7.9 #301
+* Add brackets around table names in `mdb-query` output #307
+* Support for brackets around table names in SQL parser
+* Fix regression in 0.9.3 where `COUNT(*)` resulted in a parse error #318 #319
+
+ODBC:
+* Fix `-Werror=array-bounds` compile error #313
+
 Version 0.9.3
 =============
 
diff --git a/configure.ac b/configure.ac
index 7393b76..24063a3 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,5 +1,5 @@
 dnl Process this file with autoconf to produce a configure script.
-AC_INIT([mdbtools],[0.9.4-beta1],[https://github.com/mdbtools/mdbtools/issues],[],[https://github.com/mdbtools/mdbtools])
+AC_INIT([mdbtools],[0.9.4],[https://github.com/mdbtools/mdbtools/issues],[],[https://github.com/mdbtools/mdbtools])
 AC_CONFIG_MACRO_DIR([m4])
 AC_CONFIG_AUX_DIR([build-aux])
 AC_CONFIG_SRCDIR(src/extras/mdb-dump.c)

From 4febc7b5c674f9d1475f64abf8cd5dcfef03d728 Mon Sep 17 00:00:00 2001
From: Hans de Goede <hdegoede@redhat.com>
Date: Tue, 25 Jan 2022 14:52:03 +0100
Subject: [PATCH 2/2] Fix null-ptr deref when table->map_sz is 0

The oss-fuzz/36187 attached
clusterfuzz-testcase-minimized-fuzz_mdb-4756071066501120
has a table with a map_sz of 0 and the g_memdup2 call returns NULL for
this, while mdb_map_find_next unconditionally derefs table->usage_map
to read the first byte which contains the map-type.

This leads to a NULL-ptr deref (at least with -fsanitize=address builds),
fix this by rejecting tables with a map_sz of 0.

Note this does NOT fix the original problem reported in oss-fuzz/36187
which reports a "Dynamic-stack-buffer-overflow WRITE 16" issue, which
I've been unable to reproduce.
---
 src/libmdb/table.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/libmdb/table.c b/src/libmdb/table.c
index 5dbf789..d130aca 100644
--- a/src/libmdb/table.c
+++ b/src/libmdb/table.c
@@ -92,6 +92,12 @@ MdbTableDef *mdb_read_table(MdbCatalogEntry *entry)
 		mdb_free_tabledef(table);
 		return NULL;
 	}
+	/* First byte of usage_map is the map-type and must always be present */
+	if (table->map_sz < 1) {
+		fprintf(stderr, "mdb_read_table: invalid map-size: %zu\n", table->map_sz);
+		mdb_free_tabledef(table);
+		return NULL;
+	}
 	table->usage_map = g_memdup2((char*)buf + row_start, table->map_sz);
 	if (mdb_get_option(MDB_DEBUG_USAGE)) 
 		mdb_buffer_dump(buf, row_start, table->map_sz);