Always check mdb_read_table() return value

A couple of places were missing NULL return value checks for mdb_read_table()'s return value. Add these. This fixes a NULL pointer deref while running ./test_script.sh on the test mdb file from oss-fuzz/35972 . Note this does NOT fix the original problem reported in oss-fuzz/35972 which reports a "Dynamic-stack-buffer-overflow WRITE 16" issue, which I've been unable to reproduce.
mdbtools · Jan 25, 2022 · 03391fc · 03391fc
1 parent 2da65ff
commit 03391fc
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 0 deletions.
diff --git a/src/libmdb/backend.c b/src/libmdb/backend.c
@@ -872,6 +872,10 @@ generate_table_schema(FILE *outfile, MdbCatalogEntry *entry, char *dbnamespace,
 	fprintf (outfile, " (\n");
 
 	table = mdb_read_table (entry);
+	if (!table) {
+		fprintf(stderr, "Error: Table %s does not exist\n", entry->object_name);
+		return;
+	}
 
 	/* get the columns */
 	mdb_read_columns(table);

diff --git a/src/libmdb/table.c b/src/libmdb/table.c
@@ -361,6 +361,9 @@ unsigned int i, bitn;
 guint32 pgnum;
 
 	table = mdb_read_table(entry);
+	if (!table)
+		return;
+
 	fprintf(stdout,"definition page     = %lu\n",entry->table_pg);
 	fprintf(stdout,"number of datarows  = %d\n",table->num_rows);
 	fprintf(stdout,"number of columns   = %d\n",table->num_cols);

diff --git a/src/util/mdb-header.c b/src/util/mdb-header.c
@@ -92,6 +92,11 @@ FILE *cfile;
 			entry->object_name, entry->object_name);
 	       fprintf (cfile, "\tfprintf (stdout, \"**************** %s ****************\\n\");\n", entry->object_name);
 	       table = mdb_read_table (entry);
+	       if (!table) {
+			fprintf(stderr, "Error: Table %s does not exist in this database.\n", entry->object_name);
+			/* Don't bother clean up memory before exit */
+			exit(1);
+	       }
 
 	       /* get the columns */
 	       mdb_read_columns (table);