Fix stack overflow

See oss-fuzz/28780
This commit is contained in:
Evan Miller
2020-12-18 09:35:12 -05:00
parent c46c8b0e4d
commit 89007cba18

View File

@@ -301,10 +301,10 @@ int mdb_read_row(MdbTableDef *table, unsigned int row)
int row_start; int row_start;
size_t row_size; size_t row_size;
int delflag, lookupflag; int delflag, lookupflag;
MdbField fields[256]; MdbField *fields;
int num_fields; int num_fields;
if (table->num_rows == 0) if (table->num_rows == 0 || table->num_cols == 0)
return 0; return 0;
if (mdb_find_row(mdb, row, &row_start, &row_size)) { if (mdb_find_row(mdb, row, &row_start, &row_size)) {
@@ -331,10 +331,13 @@ int mdb_read_row(MdbTableDef *table, unsigned int row)
return 0; return 0;
} }
fields = malloc(sizeof(MdbField) * table->num_cols);
num_fields = mdb_crack_row(table, row_start, row_size, fields); num_fields = mdb_crack_row(table, row_start, row_size, fields);
if (num_fields < 0) if (num_fields < 0 || !mdb_test_sargs(table, fields, num_fields)) {
free(fields);
return 0; return 0;
if (!mdb_test_sargs(table, fields, num_fields)) return 0; }
#if MDB_DEBUG #if MDB_DEBUG
fprintf(stdout,"sarg test passed row %d \n", row); fprintf(stdout,"sarg test passed row %d \n", row);
@@ -352,6 +355,8 @@ int mdb_read_row(MdbTableDef *table, unsigned int row)
fields[i].start, fields[i].siz); fields[i].start, fields[i].siz);
} }
free(fields);
return 1; return 1;
} }
static int _mdb_attempt_bind(MdbHandle *mdb, static int _mdb_attempt_bind(MdbHandle *mdb,