Skip to content

Commit 13c19f3

Browse files
oschwaldoschwald
committed
Fix overflow in search_tree_size
Also, add guards to follow-up calculations to error if they overflow. Closes #335.
1 parent e7367c2 commit 13c19f3

File tree

2 files changed

+21
-6
lines changed

2 files changed

+21
-6
lines changed

Changes.md

+6
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,9 @@
1+
## 1.8.1
2+
3+
* On very large databases, the calculation to determine the search tree
4+
size could overflow. This was fixed and several additional guards
5+
against overflows were added. Reported by Sami Salonen. GitHub #335.
6+
17
## 1.8.0 - 2023-11-07
28

39
* `PACKAGE_VERSION` is now a private compile definition when building

src/maxminddb.c

+15-6
Original file line numberDiff line numberDiff line change
@@ -289,18 +289,27 @@ int MMDB_open(const char *const filename, uint32_t flags, MMDB_s *const mmdb) {
289289
goto cleanup;
290290
}
291291

292-
uint32_t search_tree_size =
293-
mmdb->metadata.node_count * mmdb->full_record_byte_size;
292+
ssize_t search_tree_size = (ssize_t)mmdb->metadata.node_count *
293+
(ssize_t)mmdb->full_record_byte_size;
294+
if (search_tree_size <= 0 || search_tree_size / mmdb->metadata.node_count !=
295+
mmdb->full_record_byte_size) {
296+
status = MMDB_INVALID_METADATA_ERROR;
297+
goto cleanup;
298+
}
294299

295300
mmdb->data_section =
296301
mmdb->file_content + search_tree_size + MMDB_DATA_SECTION_SEPARATOR;
297-
if (search_tree_size + MMDB_DATA_SECTION_SEPARATOR >
298-
(uint32_t)mmdb->file_size) {
302+
if (search_tree_size + MMDB_DATA_SECTION_SEPARATOR > mmdb->file_size) {
303+
status = MMDB_INVALID_METADATA_ERROR;
304+
goto cleanup;
305+
}
306+
ssize_t data_section_size =
307+
mmdb->file_size - search_tree_size - MMDB_DATA_SECTION_SEPARATOR;
308+
if (data_section_size > UINT32_MAX || data_section_size <= 0) {
299309
status = MMDB_INVALID_METADATA_ERROR;
300310
goto cleanup;
301311
}
302-
mmdb->data_section_size = (uint32_t)mmdb->file_size - search_tree_size -
303-
MMDB_DATA_SECTION_SEPARATOR;
312+
mmdb->data_section_size = (uint32_t)data_section_size;
304313

305314
// Although it is likely not possible to construct a database with valid
306315
// valid metadata, as parsed above, and a data_section_size less than 3,

0 commit comments

Comments
 (0)