summaryrefslogtreecommitdiffstats
path: root/security/nss/lib/dbm/src/h_page.c
diff options
context:
space:
mode:
authorwolfbeast <mcwerewolf@gmail.com>2018-06-06 21:27:04 +0200
committerwolfbeast <mcwerewolf@gmail.com>2018-06-06 21:27:04 +0200
commit4a71b30364a4b6d1eaf16fcfdc8e873e6697f293 (patch)
treea47014077c14579249859ad34afcc5a8f2f0730a /security/nss/lib/dbm/src/h_page.c
parentd7da72799521386c110dbba73b1e483b00a0a56a (diff)
parent2dad0ec41d0b69c0a815012e6ea4bdde81b2875b (diff)
downloadUXP-4a71b30364a4b6d1eaf16fcfdc8e873e6697f293.tar
UXP-4a71b30364a4b6d1eaf16fcfdc8e873e6697f293.tar.gz
UXP-4a71b30364a4b6d1eaf16fcfdc8e873e6697f293.tar.lz
UXP-4a71b30364a4b6d1eaf16fcfdc8e873e6697f293.tar.xz
UXP-4a71b30364a4b6d1eaf16fcfdc8e873e6697f293.zip
Merge branch 'NSS-335'
Diffstat (limited to 'security/nss/lib/dbm/src/h_page.c')
-rw-r--r--security/nss/lib/dbm/src/h_page.c15
1 files changed, 15 insertions, 0 deletions
diff --git a/security/nss/lib/dbm/src/h_page.c b/security/nss/lib/dbm/src/h_page.c
index bf1252aeb..e5623224b 100644
--- a/security/nss/lib/dbm/src/h_page.c
+++ b/security/nss/lib/dbm/src/h_page.c
@@ -426,6 +426,9 @@ ugly_split(HTAB *hashp, uint32 obucket, BUFHEAD *old_bufp,
last_bfp = NULL;
scopyto = (uint16)copyto; /* ANSI */
+ if (ino[0] < 1) {
+ return DATABASE_CORRUPTED_ERROR;
+ }
n = ino[0] - 1;
while (n < ino[0]) {
@@ -463,7 +466,13 @@ ugly_split(HTAB *hashp, uint32 obucket, BUFHEAD *old_bufp,
* Fix up the old page -- the extra 2 are the fields
* which contained the overflow information.
*/
+ if (ino[0] < (moved + 2)) {
+ return DATABASE_CORRUPTED_ERROR;
+ }
ino[0] -= (moved + 2);
+ if (scopyto < sizeof(uint16) * (ino[0] + 3)) {
+ return DATABASE_CORRUPTED_ERROR;
+ }
FREESPACE(ino) =
scopyto - sizeof(uint16) * (ino[0] + 3);
OFFSET(ino) = scopyto;
@@ -486,8 +495,14 @@ ugly_split(HTAB *hashp, uint32 obucket, BUFHEAD *old_bufp,
for (n = 1; (n < ino[0]) && (ino[n + 1] >= REAL_KEY); n += 2) {
cino = (char *)ino;
key.data = (uint8 *)cino + ino[n];
+ if (off < ino[n]) {
+ return DATABASE_CORRUPTED_ERROR;
+ }
key.size = off - ino[n];
val.data = (uint8 *)cino + ino[n + 1];
+ if (ino[n] < ino[n + 1]) {
+ return DATABASE_CORRUPTED_ERROR;
+ }
val.size = ino[n] - ino[n + 1];
off = ino[n + 1];