Segfault in DoCompactionWork caused by buffer overflow

Summary: The code was allocating 200 bytes on the stack but it writes 256 bytes into the array. x8a8ea5 std::_Rb_tree<>::erase() @ 0x7f134bee7eb0 (unknown) @ 0x8a8ea5 std::_Rb_tree<>::erase() @ 0x8a35d6 leveldb::DBImpl::CleanupCompaction() @ 0x8a7810 leveldb::DBImpl::BackgroundCompaction() @ 0x8a804d leveldb::DBImpl::BackgroundCall() @ 0x8c4eff leveldb::(anonymous namespace)::PosixEnv::BGThreadWrapper() @ 0x7f134b3c010d start_thread @ 0x7f134bf9f10d clone Test Plan: run db_bench with overwrite option Reviewers: heyongqiang Reviewed By: heyongqiang Differential Revision: https://reviews.facebook.net/D5595
2012-09-21 10:47:08 -07:00 · 2012-09-21 10:47:08 -07:00 · bb2dcd2457
commit bb2dcd2457
parent 9e84834eb4
2 changed files with 4 additions and 4 deletions
--- a/db/db_impl.cc
+++ b/db/db_impl.cc
@ -948,8 +948,8 @@ Status DBImpl::DoCompactionWork(CompactionState* compact) {
      compact->compaction->level(),
      compact->compaction->num_input_files(1),
      compact->compaction->level() + 1);
-  char scratch[200];
+  char scratch[256];
-  compact->compaction->Summary(scratch, 256);
+  compact->compaction->Summary(scratch, sizeof(scratch));
  Log(options_.info_log, "Compaction start summary: %s\n", scratch);
  assert(versions_->NumLevelFiles(compact->compaction->level()) > 0);
--- a/db/version_set.cc
+++ b/db/version_set.cc
@ -1620,10 +1620,10 @@ void Compaction::Summary(char* output, int len) {
    return;
  char level_low_summary[100];
-  InputSummary(inputs_[0], level_low_summary, 100);
+  InputSummary(inputs_[0], level_low_summary, sizeof(level_low_summary));
  char level_up_summary[100];
  if (inputs_[1].size()) {
-    InputSummary(inputs_[1], level_up_summary, 100);
+    InputSummary(inputs_[1], level_up_summary, sizeof(level_up_summary));
  } else {
    level_up_summary[0] = '\0';
  }