Improve bounds and return-value checking

Fixes a memory leak and a number of buffer overruns
2025-09-18 18:22:07 +08:00 · 2020-08-06 15:17:04 -04:00
parent b01c4b8941
commit 2e6e88b96f
5 changed files with 21 additions and 9 deletions
--- a/src/libmdb/data.c
+++ b/src/libmdb/data.c
@@ -142,6 +142,7 @@ int mdb_find_row(MdbHandle *mdb, int row, int *start, size_t *len)
 	*len = next_start - (*start & OFFSET_MASK);

 	if ((*start & OFFSET_MASK) >= mdb->fmt->pg_size ||
+			(*start & OFFSET_MASK) > next_start ||
 			next_start > mdb->fmt->pg_size)
 		return -1;

@@ -527,6 +528,8 @@ mdb_ole_read_next(MdbHandle *mdb, MdbColumn *col, void *ole_ptr)
 		&buf, &row_start, &len)) {
 		return 0;
 	}
+	if (len < 4)
+		return 0;
 	mdb_debug(MDB_DEBUG_OLE,"start %d len %d", row_start, len);

 	if (col->bind_ptr)