box: validate key_def->part_count prior to memory allocation
part_count was checked in index_def_check(), which was called too late. Before that check: 1. `malloc(sizeof(*part_def) * part_count)` can fail for huge part_count; 2. key_def_new() can crash for zero part_count because of out of bound access in: NO_WRAP - #1 key_def_contains_sequential_parts (def=0x5555561a2ef0) at src/box/tuple_extract_key.cc:26 - #2 key_def_set_extract_func (key_def=0x5555561a2ef0) at src/box/tuple_extract_key.cc:442 - #3 key_def_set_func (def=0x5555561a2ef0) at src/box/key_def.c:162 - #4 key_def_new (parts=0x7fffc4001350, part_count=0, for_func_index=false) at src/box/key_def.c:320 NO_WRAP Closes #8688 NO_DOC=bugfix (cherry picked from commit ef9e3320)
Showing
- changelogs/unreleased/gh-8688-zero-part_count-crash.md 4 additions, 0 deletionschangelogs/unreleased/gh-8688-zero-part_count-crash.md
- src/box/alter.cc 13 additions, 2 deletionssrc/box/alter.cc
- src/box/index_def.c 0 additions, 10 deletionssrc/box/index_def.c
- src/box/key_def.c 1 addition, 0 deletionssrc/box/key_def.c
- test/engine-luatest/gh_8688_wrong_index_parts_test.lua 43 additions, 0 deletionstest/engine-luatest/gh_8688_wrong_index_parts_test.lua
Loading
Please register or sign in to comment