git: 33ee87fa0ae8 - main - improve error handling for corrupt database

From: Wolfram Schneider <wosch_at_FreeBSD.org>
Date: Sun, 30 Jan 2022 18:06:19 UTC
The branch main has been updated by wosch:

URL: https://cgit.FreeBSD.org/src/commit/?id=33ee87fa0ae80cb48fa5bba2bc2b090fc622e413

commit 33ee87fa0ae80cb48fa5bba2bc2b090fc622e413
Author:     Wolfram Schneider <wosch@FreeBSD.org>
AuthorDate: 2022-01-30 18:04:52 +0000
Commit:     Wolfram Schneider <wosch@FreeBSD.org>
CommitDate: 2022-01-30 18:04:52 +0000

    improve error handling for corrupt database
---
 usr.bin/locate/locate/fastfind.c | 23 +++++++++++++++++------
 1 file changed, 17 insertions(+), 6 deletions(-)

diff --git a/usr.bin/locate/locate/fastfind.c b/usr.bin/locate/locate/fastfind.c
index 4cae9381024d..69a3c2ed8152 100644
--- a/usr.bin/locate/locate/fastfind.c
+++ b/usr.bin/locate/locate/fastfind.c
@@ -67,7 +67,7 @@ statistic (fp, path_fcodes)
 		} else
 			count += c - OFFSET;
 		
-		if (count < 0 || count > MAXPATHLEN) {
+		if (count < 0 || count >= MAXPATHLEN) {
 			/* stop on error and display the statstics anyway */
 			warnx("corrupted database: %s", path_fcodes);
 			error = 1;
@@ -155,7 +155,7 @@ fastfind
 	register int c, cc;
 	int count, found, globflag;
 	u_char *cutoff;
-	u_char bigram1[NBG], bigram2[NBG], path[MAXPATHLEN];
+	u_char bigram1[NBG], bigram2[NBG], path[MAXPATHLEN + 2];
 
 #ifdef FF_ICASE
 	/* use a lookup table for case insensitive search */
@@ -206,7 +206,9 @@ fastfind
 	foundchar = 0;
 
 #ifdef FF_MMAP
-	c = (u_char)*paddr++; len--;
+	c = (u_char)*paddr++;
+	len--;
+
 	for (; len > 0; ) {
 #else
 	c = getc(fp);
@@ -216,8 +218,12 @@ fastfind
 		/* go forward or backward */
 		if (c == SWITCH) { /* big step, an integer */
 #ifdef FF_MMAP
+			if (len < sizeof(int))
+				errx(1, "corrupted database: %s", database);
+
 			count += getwm(paddr) - OFFSET;
-			len -= INTSIZE; paddr += INTSIZE;
+			len -= INTSIZE;
+			paddr += INTSIZE;
 #else
 			count +=  getwf(fp) - OFFSET;
 #endif /* FF_MMAP */
@@ -225,8 +231,9 @@ fastfind
 			count += c - OFFSET;
 		}
 
-		if (count < 0 || count > MAXPATHLEN)
-			errx(1, "corrupted database: %s", database);
+		if (count < 0 || count >= MAXPATHLEN)
+			errx(1, "corrupted database: %s %d", database, count);
+
 		/* overlay old path */
 		p = path + count;
 		foundchar = p - 1;
@@ -285,6 +292,10 @@ fastfind
 				*p++ = bigram1[c];
 				*p++ = bigram2[c];
 			}
+
+			if (p - path >= MAXPATHLEN) 
+				errx(1, "corrupted database: %s", database);
+
 		}
 		
 		if (found) {                     /* previous line matched */