[Xapian-tickets] [Xapian] #824: Out-of-bounds array access on table open if root info level is corrupt
Xapian
nobody at xapian.org
Tue Jan 16 15:29:52 GMT 2024
#824: Out-of-bounds array access on table open if root info level is corrupt
----------------------------------+------------------------
Reporter: group13 | Owner: Olly Betts
Type: defect | Status: new
Priority: normal | Milestone:
Component: Backend-Glass | Version: 1.4.24
Severity: normal | Keywords:
Blocked By: | Blocking:
Operating System: All |
----------------------------------+------------------------
In the Glass backend, the RootInfo ''level'' field comes from disk and is
used before it is checked, which means that e.g. this snippet...
{{{
void
GlassTable::basic_open(const RootInfo * root_info, glass_revision_number_t
rev)
{
...
level = root_info->get_level();
...
for (int j = 0; j <= level; ++j) {
C[j].init(block_size);
}
}}}
...is UB if the level in the file exceeds ''BTREE_CURSOR_LEVELS'' for
whatever reason (perhaps file corruption on disk). If so, even if the
table is otherwise unused, this runs past the end of the ''C'' array here
and again when the ''GlassTable'' is destroyed. In practice, this results
in a segmentation fault/crash; because it happens so early, it cannot be
recovered through ''xapian-check''.
We would instead expect that a ''Xapian::DatabaseCorruptError'' or similar
would be thrown in this case.
We've confirmed that this happens with 1.4.24, on Linux, using the Glass
backend in single-file mode. The Chert backend may be affected as well.
This issue was found by running the AFL++ fuzzer to generate corrupted
single-file Glass database files.
--
Ticket URL: <https://trac.xapian.org/ticket/824>
Xapian <https://xapian.org/>
Xapian
More information about the Xapian-tickets
mailing list