From 6840faa15c23ed6329ef4045a09a90226533bdff Mon Sep 17 00:00:00 2001
From: Sergey Poznyakoff <gray@gnu.org>
Date: Tue, 25 Jan 2022 18:34:46 +0200
Subject: Fix possible heap buffer overflow

* src/bucket.c (_gdbm_split_bucket): When splitting the bucket, check
if hash values are within allowed range.
---
 src/bucket.c | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/src/bucket.c b/src/bucket.c
index 0abec58..7bc6e5b 100644
--- a/src/bucket.c
+++ b/src/bucket.c
@@ -571,9 +571,18 @@ _gdbm_split_bucket (GDBM_FILE dbf, int next_insert)
       for (index = 0; index < dbf->header->bucket_elems; index++)
 	{
 	  bucket_element *old_el = &dbf->bucket->h_table[index];
-	  hash_bucket *bucket =
+	  hash_bucket *bucket;
+	  int elem_loc;
+	  
+	  if (old_el->hash_value < 0)
+	    {
+	      GDBM_SET_ERRNO (dbf, GDBM_BAD_BUCKET, TRUE);
+	      return -1;
+	    }
+
+	  bucket =
 	    newcache[(old_el->hash_value >> (GDBM_HASH_BITS - new_bits)) & 1]->ca_bucket;
-	  int elem_loc = old_el->hash_value % dbf->header->bucket_elems;
+	  elem_loc = old_el->hash_value % dbf->header->bucket_elems;
 	  while (bucket->h_table[elem_loc].hash_value != -1)
 	    elem_loc = (elem_loc + 1) % dbf->header->bucket_elems;
 	  bucket->h_table[elem_loc] = *old_el;
-- 
cgit v1.2.1