From owner-svn-src-head@FreeBSD.ORG Sat Mar 28 06:47:05 2009 Return-Path: Delivered-To: svn-src-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AD3D91065672; Sat, 28 Mar 2009 06:47:05 +0000 (UTC) (envelope-from delphij@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id 80EA78FC17; Sat, 28 Mar 2009 06:47:05 +0000 (UTC) (envelope-from delphij@FreeBSD.org) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id n2S6l5NC087481; Sat, 28 Mar 2009 06:47:05 GMT (envelope-from delphij@svn.freebsd.org) Received: (from delphij@localhost) by svn.freebsd.org (8.14.3/8.14.3/Submit) id n2S6l56R087480; Sat, 28 Mar 2009 06:47:05 GMT (envelope-from delphij@svn.freebsd.org) Message-Id: <200903280647.n2S6l56R087480@svn.freebsd.org> From: Xin LI Date: Sat, 28 Mar 2009 06:47:05 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r190494 - head/lib/libc/db/hash X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Mar 2009 06:47:06 -0000 Author: delphij Date: Sat Mar 28 06:47:05 2009 New Revision: 190494 URL: http://svn.freebsd.org/changeset/base/190494 Log: - If (keysize+datasize)%(bsize=14)==0, insertion of a `big key' would cause an invariant (actually, an ugly hack) to fail, and all Hell would break loose. When deleting a big key, the offset of an empty page should be bsize, not bsize-1; otherwise an insertion into the empty page will cause the new key to be elongated by 1 byte. Make the packing more dense in a couple of cases. - fix NULL dereference exposed on big bsize values; Obtained from: NetBSD via OpenBSD Modified: head/lib/libc/db/hash/hash_bigkey.c Modified: head/lib/libc/db/hash/hash_bigkey.c ============================================================================== --- head/lib/libc/db/hash/hash_bigkey.c Sat Mar 28 06:40:48 2009 (r190493) +++ head/lib/libc/db/hash/hash_bigkey.c Sat Mar 28 06:47:05 2009 (r190494) @@ -118,18 +118,30 @@ __big_insert(HTAB *hashp, BUFHEAD *bufp, return (-1); n = p[0]; if (!key_size) { - if (FREESPACE(p)) { - move_bytes = MIN(FREESPACE(p), val_size); + space = FREESPACE(p); + if (space) { + move_bytes = MIN(space, val_size); + /* + * If the data would fit exactly in the + * remaining space, we must overflow it to the + * next page; otherwise the invariant that the + * data must end on a page with FREESPACE + * non-zero would fail. + */ + if (space == val_size && val_size == val->size) + goto toolarge; off = OFFSET(p) - move_bytes; - p[n] = off; memmove(cp + off, val_data, move_bytes); val_data += move_bytes; val_size -= move_bytes; + p[n] = off; p[n - 2] = FULL_KEY_DATA; FREESPACE(p) = FREESPACE(p) - move_bytes; OFFSET(p) = off; - } else + } else { + toolarge: p[n - 2] = FULL_KEY; + } } p = (u_int16_t *)bufp->page; cp = bufp->page; @@ -239,12 +251,12 @@ __big_delete(HTAB *hashp, BUFHEAD *bufp) n -= 2; bp[0] = n; FREESPACE(bp) = hashp->BSIZE - PAGE_META(n); - OFFSET(bp) = hashp->BSIZE - 1; + OFFSET(bp) = hashp->BSIZE; bufp->flags |= BUF_MOD; if (rbufp) __free_ovflpage(hashp, rbufp); - if (last_bfp != rbufp) + if (last_bfp && last_bfp != rbufp) __free_ovflpage(hashp, last_bfp); hashp->NKEYS--;