[Xapian-tickets] [Xapian] #824: Out-of-bounds array access on table open if root info level is corrupt

[Xapian]

#824: Out-of-bounds array access on table open if root info level is corrupt
---------------------------+-------------------------------
 Reporter:  group13        |             Owner:  Olly Betts
     Type:  defect         |            Status:  reopened
 Priority:  normal         |         Milestone:  1.4.25
Component:  Backend-Glass  |           Version:  1.4.24
 Severity:  normal         |        Resolution:
 Keywords:                 |        Blocked By:
 Blocking:                 |  Operating System:  All
---------------------------+-------------------------------
Changes (by Olly Betts):

 * status:  closed => reopened
 * resolution:  fixed =>

Comment:

 > This may be easier to reproduce with a test file that is wildly out of
 range rather than just out of range.

 FWIW my logic for picking the first "just wrong" value was to catch if the
 check added to the code was at the wrong threshold.

 Your reasoning looks correct, but I'm surprised CI didn't catch this as it
 runs a build (and the testsuite) using ubsan.  I can see valgrind not
 spotted a small overrun as there are members after this array in the class
 and valgrind works on already compiled code so likely only sees the
 allocated block, but ubsan should be able to add checks based on the
 actual members.

 It'd be helpful to provide your test input when reporting these sort of
 bugs...
-- 
Ticket URL: <https://trac.xapian.org/ticket/824#comment:3>
Xapian <https://xapian.org/>
Xapian