From f34b61f9471d1c03fe0517b9d817c50c920e378a Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Wed, 6 Sep 2017 21:15:48 +0100
Subject: [PATCH] ITS#8722 fix FIRST_DUP/LAST_DUP cursor bounds check

---
 libraries/liblmdb/mdb.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/libraries/liblmdb/mdb.c b/libraries/liblmdb/mdb.c
index 94081cafcf..a483e835c7 100644
--- a/libraries/liblmdb/mdb.c
+++ b/libraries/liblmdb/mdb.c
@@ -7269,6 +7269,11 @@ fetchm:
 			rc = MDB_INCOMPATIBLE;
 			break;
 		}
+		if (mc->mc_ki[mc->mc_top] >= NUMKEYS(mc->mc_pg[mc->mc_top])) {
+			mc->mc_ki[mc->mc_top] = NUMKEYS(mc->mc_pg[mc->mc_top]);
+			rc = MDB_NOTFOUND;
+			break;
+		}
 		{
 			MDB_node *leaf = NODEPTR(mc->mc_pg[mc->mc_top], mc->mc_ki[mc->mc_top]);
 			if (!F_ISSET(leaf->mn_flags, F_DUPDATA)) {
@@ -7921,6 +7926,7 @@ mdb_cursor_del(MDB_cursor *mc, unsigned int flags)
 						if (!(m2->mc_flags & C_INITIALIZED)) continue;
 						if (m2->mc_pg[mc->mc_top] == mp) {
 							MDB_node *n2 = leaf;
+							if (m2->mc_ki[mc->mc_top] >= NUMKEYS(mp)) continue;
 							if (m2->mc_ki[mc->mc_top] != mc->mc_ki[mc->mc_top]) {
 								n2 = NODEPTR(mp, m2->mc_ki[mc->mc_top]);
 								if (n2->mn_flags & F_SUBDATA) continue;
-- 
GitLab