[Xapian-tickets] [Xapian] #824: Out-of-bounds array access on table open if root info level is corrupt
Xapian
nobody at xapian.org
Wed Jan 17 11:01:37 GMT 2024
#824: Out-of-bounds array access on table open if root info level is corrupt
---------------------------+-------------------------------
Reporter: group13 | Owner: Olly Betts
Type: defect | Status: closed
Priority: normal | Milestone: 1.4.25
Component: Backend-Glass | Version: 1.4.24
Severity: normal | Resolution: fixed
Keywords: | Blocked By:
Blocking: | Operating System: All
---------------------------+-------------------------------
Comment (by group13):
Thanks for the quick response!
Is it expected that the patched code sets the level member first and then
checks the value? When trying to confirm the fix with our test input, it
looks like the following now happens:
1. !DatabaseCorruptError is now thrown as expected
1. As part of unwinding, the !GlassTable is destroyed
1. As part of !GlassTable's destructor, the close method is called
1. As part of GlassTable::close, a loop similar to the one above runs
through all cursors to destroy them
1. This loop uses the impossible level value from the file to know how
many levels there are, and we hit the same UB/segfault.
This may be easier to reproduce with a test file that is wildly out of
range rather than just out of range.
--
Ticket URL: <https://trac.xapian.org/ticket/824#comment:2>
Xapian <https://xapian.org/>
Xapian
More information about the Xapian-tickets
mailing list