From 068d5ee1a3ac40dabd00d211d5013af44be55bea Mon Sep 17 00:00:00 2001 From: leveldb Team Date: Tue, 18 Apr 2023 22:38:59 +0000 Subject: [PATCH] leveldb: Check slice length in Footer::DecodeFrom() Without this check decoding the footer in Table::Open() can read uninitialized bytes from a buffer allocated on the stack if the file was unexpectedly short. In practice this is probably fine since this function validates a magic number but MSan complains about branching on uninitialized data. PiperOrigin-RevId: 525271012 --- table/format.cc | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/table/format.cc b/table/format.cc index 7647372..ae998c1 100644 --- a/table/format.cc +++ b/table/format.cc @@ -41,6 +41,10 @@ void Footer::EncodeTo(std::string* dst) const { } Status Footer::DecodeFrom(Slice* input) { + if (input->size() < kEncodedLength) { + return Status::Corruption("not an sstable (footer too short)"); + } + const char* magic_ptr = input->data() + kEncodedLength - 8; const uint32_t magic_lo = DecodeFixed32(magic_ptr); const uint32_t magic_hi = DecodeFixed32(magic_ptr + 4);