Fix possible heap buffer overflow

* src/bucket.c (_gdbm_split_bucket): When splitting the bucket, check if hash values are within allowed range.
author: Sergey Poznyakoff <gray@gnu.org> 2022-01-25 18:34:46 +0200
committer: Sergey Poznyakoff <gray@gnu.org> 2022-01-25 18:34:46 +0200
commit: 6840faa15c23ed6329ef4045a09a90226533bdff (patch)
tree: 818d989595f850b550e6f18026e7b807d9ce0c9b
parent: 7c4069ab54da781ccde71b5235eeca63389fe719 (diff)
download: gdbm-6840faa15c23ed6329ef4045a09a90226533bdff.tar.gz
1 files changed, 11 insertions, 2 deletions
diff --git a/src/bucket.c b/src/bucket.c
index 0abec58..7bc6e5b 100644
--- a/src/bucket.c
+++ b/src/bucket.c
@@ -571,9 +571,18 @@ _gdbm_split_bucket (GDBM_FILE dbf, int next_insert)
       for (index = 0; index < dbf->header->bucket_elems; index++)
 	{
 	  bucket_element *old_el = &dbf->bucket->h_table[index];
-	  hash_bucket *bucket =
+	  hash_bucket *bucket;
+	  int elem_loc;
+	  
+	  if (old_el->hash_value < 0)
+	    {
+	      GDBM_SET_ERRNO (dbf, GDBM_BAD_BUCKET, TRUE);
+	      return -1;
+	    }
+
+	  bucket =
 	    newcache[(old_el->hash_value >> (GDBM_HASH_BITS - new_bits)) & 1]->ca_bucket;
-	  int elem_loc = old_el->hash_value % dbf->header->bucket_elems;
+	  elem_loc = old_el->hash_value % dbf->header->bucket_elems;
 	  while (bucket->h_table[elem_loc].hash_value != -1)
 	    elem_loc = (elem_loc + 1) % dbf->header->bucket_elems;
 	  bucket->h_table[elem_loc] = *old_el;
author	Sergey Poznyakoff <gray@gnu.org>	2022-01-25 18:34:46 +0200
committer	Sergey Poznyakoff <gray@gnu.org>	2022-01-25 18:34:46 +0200
commit	6840faa15c23ed6329ef4045a09a90226533bdff (patch)
tree	818d989595f850b550e6f18026e7b807d9ce0c9b
parent	7c4069ab54da781ccde71b5235eeca63389fe719 (diff)
download	gdbm-6840faa15c23ed6329ef4045a09a90226533bdff.tar.gz