Improve bounds and return-value checking

Fixes a memory leak and a number of buffer overruns

src/libmdb/write.c

@@ -204,7 +204,7 @@ mdb_crack_row(MdbTableDef *table, int row_start, int row_end, MdbField *fields)
 	}
 
 	bitmask_sz = (row_cols + 7) / 8;
-    if (bitmask_sz >= row_end) {
+    if (bitmask_sz + !IS_JET3(mdb) >= row_end) {
         fprintf(stderr, "warning: Invalid page buffer detected in mdb_crack_row.\n");
         return -1;
     }
@@ -227,6 +227,7 @@ mdb_crack_row(MdbTableDef *table, int row_start, int row_end, MdbField *fields)
 		}
         if (!success) {
             fprintf(stderr, "warning: Invalid page buffer detected in mdb_crack_row.\n");
+            g_free(var_col_offsets);
             return -1;
         }
 	}
@@ -273,6 +274,11 @@ mdb_crack_row(MdbTableDef *table, int row_start, int row_end, MdbField *fields)
 			fields[i].siz = 0;
 			fields[i].is_null = 1;
 		}
+		if (fields[i].start + fields[i].siz > row_end + 1) {
+			fprintf(stderr, "warning: Invalid data location detected in mdb_crack_row.\n");
+			g_free(var_col_offsets);
+			return -1;
+		}
 	}
 
 	g_free(var_col_offsets);
@@ -586,7 +592,7 @@ mdb_insert_row(MdbTableDef *table, int num_fields, MdbField *fields)
 		mdb_buffer_dump(row_buffer, 0, new_row_size);
 	}
 	pgnum = mdb_map_find_next_freepage(table, new_row_size);
-	if (!pgnum) {
+	if (!pgnum || pgnum == -1) {
 		fprintf(stderr, "Unable to allocate new page.\n");
 		return 0;
 	}