[Xapian-tickets] [Xapian] #824: Out-of-bounds array access on table open if root info level is corrupt

Fri Jan 19 03:18:17 GMT 2024

#824: Out-of-bounds array access on table open if root info level is corrupt
---------------------------+-------------------------------
 Reporter:  group13        |             Owner:  Olly Betts
     Type:  defect         |            Status:  closed
 Priority:  normal         |         Milestone:  1.4.25
Component:  Backend-Glass  |           Version:  1.4.24
 Severity:  normal         |        Resolution:  fixed
 Keywords:                 |        Blocked By:
 Blocking:                 |  Operating System:  All
---------------------------+-------------------------------
Changes (by Olly Betts):

 * status:  reopened => closed
 * resolution:   => fixed

Comment:

 > Of course. I've added one of the crashing inputs, as well as the
 starting seed we used.

 Thanks, fixed in 44aaa6fdfdccb4f2708da0605fa6efcc327d7908 - I've moved the
 check to where the value is read from disk and decoded (which I probably
 should have done to start with, but it requires moving where we define the
 constant to check against).  Backported for 1.4.25 as
 61249b067d1477cc099df342ada2f96b24822f42.

 I've also fixed a similar issue with lack of vetting of the blocksize
 which is read from the same file in the same method - that fix is
 218e5c4b591c7ec5a17b0d78c6bf0a72876f6176, backported as
 7e5c9a4963e4c1701b64f1fcf81a0c2c089874a6.

 > The test input is naturally "more corrupted than necessary" for this
 issue. Please let us know if you would like to see a cleaned-up/minimized
 version as well (so one that is only corrupt in the way mentioned above).

 In this case just your reproducer was enough - it allowed me to verify the
 fix actually addressed the problem(s) it triggered.
-- 
Ticket URL: <https://trac.xapian.org/ticket/824#comment:5>
Xapian <https://xapian.org/>
Xapian