mirror of
https://github.com/mdbtools/mdbtools.git
synced 2025-09-19 02:27:55 +08:00
Fix stack overflow
See oss-fuzz/28780
This commit is contained in:
@@ -301,10 +301,10 @@ int mdb_read_row(MdbTableDef *table, unsigned int row)
|
|||||||
int row_start;
|
int row_start;
|
||||||
size_t row_size;
|
size_t row_size;
|
||||||
int delflag, lookupflag;
|
int delflag, lookupflag;
|
||||||
MdbField fields[256];
|
MdbField *fields;
|
||||||
int num_fields;
|
int num_fields;
|
||||||
|
|
||||||
if (table->num_rows == 0)
|
if (table->num_rows == 0 || table->num_cols == 0)
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
if (mdb_find_row(mdb, row, &row_start, &row_size)) {
|
if (mdb_find_row(mdb, row, &row_start, &row_size)) {
|
||||||
@@ -331,10 +331,13 @@ int mdb_read_row(MdbTableDef *table, unsigned int row)
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
fields = malloc(sizeof(MdbField) * table->num_cols);
|
||||||
|
|
||||||
num_fields = mdb_crack_row(table, row_start, row_size, fields);
|
num_fields = mdb_crack_row(table, row_start, row_size, fields);
|
||||||
if (num_fields < 0)
|
if (num_fields < 0 || !mdb_test_sargs(table, fields, num_fields)) {
|
||||||
|
free(fields);
|
||||||
return 0;
|
return 0;
|
||||||
if (!mdb_test_sargs(table, fields, num_fields)) return 0;
|
}
|
||||||
|
|
||||||
#if MDB_DEBUG
|
#if MDB_DEBUG
|
||||||
fprintf(stdout,"sarg test passed row %d \n", row);
|
fprintf(stdout,"sarg test passed row %d \n", row);
|
||||||
@@ -352,6 +355,8 @@ int mdb_read_row(MdbTableDef *table, unsigned int row)
|
|||||||
fields[i].start, fields[i].siz);
|
fields[i].start, fields[i].siz);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
free(fields);
|
||||||
|
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
static int _mdb_attempt_bind(MdbHandle *mdb,
|
static int _mdb_attempt_bind(MdbHandle *mdb,
|
||||||
|
Reference in New Issue
Block a user