lsm/mdbtools
1
0
Fork 0
mirror of https://github.com/mdbtools/mdbtools.git synced 2025-09-19 02:27:55 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

Improved bounds checking

Browse Source
This commit is contained in:
Evan Miller
2020-08-09 16:38:25 -04:00
parent 7690ef376f
commit 82bbc0cef7
1 changed files with 8 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
src/libmdb/data.c
View File

@@ -557,16 +557,12 @@ mdb_ole_read(MdbHandle *mdb, MdbColumn *col, void *ole_ptr, size_t chunk_size)
if (ole_len & 0x80000000) { if (ole_len & 0x80000000) {
/* inline ole field, if we can satisfy it, then do it */ /* inline ole field, if we can satisfy it, then do it */
len = col->cur_value_len - MDB_MEMO_OVERHEAD; len = col->cur_value_len - MDB_MEMO_OVERHEAD;
if (chunk_size >= len) { if (chunk_size < len)
if (col->bind_ptr)
memcpy(col->bind_ptr,
&mdb->pg_buf[col->cur_value_start +
MDB_MEMO_OVERHEAD],
len);
return len;
} else {
return 0; return 0;
} if (col->bind_ptr)
memcpy(col->bind_ptr, &mdb->pg_buf[col->cur_value_start +
MDB_MEMO_OVERHEAD], len);
return len;
} else if (ole_len & 0x40000000) { } else if (ole_len & 0x40000000) {
col->cur_blob_pg_row = mdb_get_int32(ole_ptr, 4); col->cur_blob_pg_row = mdb_get_int32(ole_ptr, 4);
mdb_debug(MDB_DEBUG_OLE,"ole row = %d ole pg = %ld", mdb_debug(MDB_DEBUG_OLE,"ole row = %d ole pg = %ld",
@@ -592,7 +588,7 @@ mdb_ole_read(MdbHandle *mdb, MdbColumn *col, void *ole_ptr, size_t chunk_size)
col->cur_blob_pg_row >> 8); col->cur_blob_pg_row >> 8);
if (mdb_find_pg_row(mdb, col->cur_blob_pg_row, if (mdb_find_pg_row(mdb, col->cur_blob_pg_row,
&buf, &row_start, &len)) { &buf, &row_start, &len) || len < 4) {
return 0; return 0;
} }
mdb_debug(MDB_DEBUG_OLE,"start %d len %d", row_start, len); mdb_debug(MDB_DEBUG_OLE,"start %d len %d", row_start, len);
@@ -684,7 +680,7 @@ static size_t mdb_copy_ole(MdbHandle *mdb, void *dest, int start, int size)
mdb_debug(MDB_DEBUG_OLE,"Reading LVAL page %06x", mdb_debug(MDB_DEBUG_OLE,"Reading LVAL page %06x",
pg_row >> 8); pg_row >> 8);
if (mdb_find_pg_row(mdb,pg_row,&buf,&row_start,&len)) { if (mdb_find_pg_row(mdb,pg_row,&buf,&row_start,&len) || len < 4) {
return 0; return 0;
} }
@@ -774,7 +770,7 @@ static char *mdb_memo_to_string(MdbHandle *mdb, int start, int size)
break; break;
/* Stop processing on zero length multiple page memo fields */ /* Stop processing on zero length multiple page memo fields */
if (!len) if (len < 4)
break; break;
memcpy(tmp + tmpoff, (char*)buf + row_start + 4, len - 4); memcpy(tmp + tmpoff, (char*)buf + row_start + 4, len - 4);