Blame SOURCES/db-5.3.28_cve-2019-2708.patch

b1d0b3
--- db-18.1.32/src/btree/bt_cursor.c	2019-02-20 03:21:20.000000000 +0530
b1d0b3
+++ db-18.1.40/src/btree/bt_cursor.c	2020-05-29 23:28:22.000000000 +0530
b1d0b3
@@ -282,6 +282,8 @@
b1d0b3
 	 *
b1d0b3
 	 * Recno uses the btree bt_ovflsize value -- it's close enough.
b1d0b3
 	 */
b1d0b3
+	if (t->bt_minkey == 0)
b1d0b3
+		return (DB_RECOVER);
b1d0b3
 	cp->ovflsize = B_MINKEY_TO_OVFLSIZE(
b1d0b3
 	    dbp,  F_ISSET(dbc, DBC_OPD) ? 2 : t->bt_minkey, dbp->pgsize);
b1d0b3
 
b1d0b3
--- db-18.1.32/src/btree/bt_verify.c	2019-02-20 03:21:20.000000000 +0530
b1d0b3
+++ db-18.1.40/src/btree/bt_verify.c	2020-05-29 23:28:22.000000000 +0530
b1d0b3
@@ -700,7 +700,11 @@
b1d0b3
 			isbad = 1;
b1d0b3
 			goto err;
b1d0b3
 		default:
b1d0b3
+			if (ret == 0) {
b1d0b3
+				isbad = 1;
b1d0b3
+				ret = DB_VERIFY_FATAL;
b1d0b3
+				goto err;
b1d0b3
+			}
b1d0b3
-			DB_ASSERT(env, ret != 0);
b1d0b3
 			break;
b1d0b3
 		}
b1d0b3
 
b1d0b3
@@ -1074,7 +1078,7 @@
b1d0b3
 	DBT dbta, dbtb, dup_1, dup_2, *p1, *p2, *tmp;
b1d0b3
 	ENV *env;
b1d0b3
 	PAGE *child;
b1d0b3
+	db_pgno_t cpgno, grandparent;
b1d0b3
-	db_pgno_t cpgno;
b1d0b3
 	VRFY_PAGEINFO *pip;
b1d0b3
 	db_indx_t i, *inp;
b1d0b3
 	int adj, cmp, freedup_1, freedup_2, isbad, ret, t_ret;
b1d0b3
@@ -1106,7 +1110,8 @@
b1d0b3
 
b1d0b3
 	buf1 = buf2 = NULL;
b1d0b3
 
b1d0b3
+	if (LF_ISSET(DB_NOORDERCHK))
b1d0b3
+		return (EINVAL);
b1d0b3
-	DB_ASSERT(env, !LF_ISSET(DB_NOORDERCHK));
b1d0b3
 
b1d0b3
 	dupfunc = (dbp->dup_compare == NULL) ? __bam_defcmp : dbp->dup_compare;
b1d0b3
 	if (TYPE(h) == P_LDUP)
b1d0b3
@@ -1115,6 +1120,7 @@
b1d0b3
 		func = __bam_defcmp;
b1d0b3
 		if (dbp->bt_internal != NULL) {
b1d0b3
 			bt = (BTREE *)dbp->bt_internal;
b1d0b3
+			grandparent = bt->bt_root;
b1d0b3
 			if (TYPE(h) == P_IBTREE && (bt->bt_compare != NULL ||
b1d0b3
 			    dupfunc != __bam_defcmp)) {
b1d0b3
 				/*
b1d0b3
@@ -974,8 +980,24 @@
b1d0b3
 				 */
b1d0b3
 				mpf = dbp->mpf;
b1d0b3
 				child = h;
b1d0b3
+				cpgno = pgno;
b1d0b3
 				while (TYPE(child) == P_IBTREE) {
b1d0b3
+					if (NUM_ENT(child) == 0) {
b1d0b3
+						EPRINT((env, DB_STR_A("1088",
b1d0b3
+		    "Page %lu: internal page is empty and should not be",
b1d0b3
+					    "%lu"), (u_long)cpgno));
b1d0b3
+						ret = DB_VERIFY_BAD;
b1d0b3
+						goto err;
b1d0b3
+					}
b1d0b3
 					bi = GET_BINTERNAL(dbp, child, 0);
b1d0b3
+					if (grandparent == bi->pgno) {
b1d0b3
+						EPRINT((env, DB_STR_A("5552",
b1d0b3
+					      "Page %lu: found twice in the btree",
b1d0b3
+				          "%lu"), (u_long)grandparent));
b1d0b3
+						ret = DB_VERIFY_FATAL;
b1d0b3
+						goto err;
b1d0b3
+					} else
b1d0b3
+						grandparent = cpgno;
b1d0b3
 					cpgno = bi->pgno;
b1d0b3
 					if (child != h &&
b1d0b3
 					    (ret = __memp_fput(mpf,
b1d0b3
@@ -1402,7 +1416,10 @@
b1d0b3
 					 */
b1d0b3
 					if (dup_1.data == NULL ||
b1d0b3
 					    dup_2.data == NULL) {
b1d0b3
+						if (ovflok) {
b1d0b3
+							isbad = 1;
b1d0b3
+							goto err;
b1d0b3
+						}
b1d0b3
-						DB_ASSERT(env, !ovflok);
b1d0b3
 						if (pip != NULL)
b1d0b3
 							F_SET(pip,
b1d0b3
 							    VRFY_INCOMPLETE);
b1d0b3
@@ -1747,9 +1764,10 @@
b1d0b3
 			    (ret = __db_vrfy_ovfl_structure(dbp, vdp,
b1d0b3
 			    child->pgno, child->tlen,
b1d0b3
 			    flags | DB_ST_OVFL_LEAF)) != 0) {
b1d0b3
+				if (ret == DB_VERIFY_BAD) {
b1d0b3
-				if (ret == DB_VERIFY_BAD)
b1d0b3
 					isbad = 1;
b1d0b3
+					break;
b1d0b3
+				} else
b1d0b3
-				else
b1d0b3
 					goto done;
b1d0b3
 			}
b1d0b3
 
b1d0b3
@@ -1823,9 +1841,10 @@
b1d0b3
 						    stflags | DB_ST_TOPLEVEL,
b1d0b3
 						    NULL, NULL, NULL)) != 0) {
b1d0b3
 							if (ret ==
b1d0b3
+							    DB_VERIFY_BAD) {
b1d0b3
-							    DB_VERIFY_BAD)
b1d0b3
 								isbad = 1;
b1d0b3
+								break;
b1d0b3
+							} else
b1d0b3
-							else
b1d0b3
 								goto err;
b1d0b3
 						}
b1d0b3
 					}
b1d0b3
@@ -1969,7 +1988,10 @@
b1d0b3
 			 */
b1d0b3
 
b1d0b3
 			/* Otherwise, __db_vrfy_childput would be broken. */
b1d0b3
+			if (child->refcnt < 1) {
b1d0b3
+				isbad = 1;
b1d0b3
+				goto err;
b1d0b3
+			}
b1d0b3
-			DB_ASSERT(env, child->refcnt >= 1);
b1d0b3
 
b1d0b3
 			/*
b1d0b3
 			 * An overflow referenced more than twice here
b1d0b3
@@ -1986,9 +2008,10 @@
b1d0b3
 					if ((ret = __db_vrfy_ovfl_structure(dbp,
b1d0b3
 					    vdp, child->pgno, child->tlen,
b1d0b3
 					    flags)) != 0) {
b1d0b3
+						if (ret == DB_VERIFY_BAD) {
b1d0b3
-						if (ret == DB_VERIFY_BAD)
b1d0b3
 							isbad = 1;
b1d0b3
+							break;
b1d0b3
+						} else
b1d0b3
-						else
b1d0b3
 							goto done;
b1d0b3
 					}
b1d0b3
 		}
b1d0b3
@@ -2026,9 +2049,10 @@
b1d0b3
 		if ((ret = __bam_vrfy_subtree(dbp, vdp, li->pgno,
b1d0b3
 		    i == 0 ? NULL : li, ri, flags, &child_level,
b1d0b3
 		    &child_nrecs, NULL)) != 0) {
b1d0b3
+			if (ret == DB_VERIFY_BAD) {
b1d0b3
-			if (ret == DB_VERIFY_BAD)
b1d0b3
 				isbad = 1;
b1d0b3
+				break;
b1d0b3
+			} else
b1d0b3
-			else
b1d0b3
 				goto done;
b1d0b3
 		}
b1d0b3
 
b1d0b3
@@ -2929,7 +2953,11 @@
b1d0b3
 	db_pgno_t current, p;
b1d0b3
 	int err_ret, ret;
b1d0b3
 
b1d0b3
+	if (pgset == NULL) {
b1d0b3
+		EPRINT((dbp->env, DB_STR("5542",
b1d0b3
+			"Error, database contains no visible pages.")));
b1d0b3
+		return (DB_RUNRECOVERY);
b1d0b3
+	}
b1d0b3
-	DB_ASSERT(dbp->env, pgset != NULL);
b1d0b3
 
b1d0b3
 	mpf = dbp->mpf;
b1d0b3
 	h = NULL;
b1d0b3
--- db-18.1.32/src/db/db_conv.c	2019-02-20 03:21:20.000000000 +0530
b1d0b3
+++ db-18.1.40/src/db/db_conv.c	2020-05-29 23:28:22.000000000 +0530
b1d0b3
@@ -493,8 +493,11 @@
b1d0b3
 	db_indx_t i, *inp, len, tmp;
b1d0b3
 	u_int8_t *end, *p, *pgend;
b1d0b3
 
b1d0b3
-	if (pagesize == 0)
b1d0b3
-		return (0);
b1d0b3
+	/* This function is also used to byteswap logs, so
b1d0b3
+	 * the pagesize might not be an actual page size.
b1d0b3
+	 */
b1d0b3
+	if (!(pagesize >= 24 && pagesize <= DB_MAX_PGSIZE))
b1d0b3
+		return (EINVAL);
b1d0b3
 
b1d0b3
 	if (pgin) {
b1d0b3
 		M_32_SWAP(h->lsn.file);
b1d0b3
@@ -513,26 +516,41 @@
b1d0b3
 	pgend = (u_int8_t *)h + pagesize;
b1d0b3
 
b1d0b3
 	inp = P_INP(dbp, h);
b1d0b3
-	if ((u_int8_t *)inp >= pgend)
b1d0b3
-		goto out;
b1d0b3
+	if ((u_int8_t *)inp > pgend)
b1d0b3
+		return (__db_pgfmt(env, pg));
b1d0b3
 
b1d0b3
 	switch (TYPE(h)) {
b1d0b3
 	case P_HASH_UNSORTED:
b1d0b3
 	case P_HASH:
b1d0b3
 		for (i = 0; i < NUM_ENT(h); i++) {
b1d0b3
+			if ((u_int8_t*)(inp + i) >= pgend)
b1d0b3
+				return (__db_pgfmt(env, pg));
b1d0b3
+			if (inp[i] == 0)
b1d0b3
+				continue;
b1d0b3
 			if (pgin)
b1d0b3
 				M_16_SWAP(inp[i]);
b1d0b3
+			if (inp[i] >= pagesize)
b1d0b3
+				return (__db_pgfmt(env, pg));
b1d0b3
 
b1d0b3
-			if (P_ENTRY(dbp, h, i) >= pgend)
b1d0b3
-				continue;
b1d0b3
+	   		if (P_ENTRY(dbp, h, i) >= pgend)
b1d0b3
+				return (__db_pgfmt(env, pg));
b1d0b3
 
b1d0b3
 			switch (HPAGE_TYPE(dbp, h, i)) {
b1d0b3
 			case H_KEYDATA:
b1d0b3
 				break;
b1d0b3
 			case H_DUPLICATE:
b1d0b3
+				if (LEN_HITEM(dbp, h, pagesize, i) < 
b1d0b3
+				    HKEYDATA_SIZE(0))
b1d0b3
+					return (__db_pgfmt(env, pg));
b1d0b3
+
b1d0b3
 				len = LEN_HKEYDATA(dbp, h, pagesize, i);
b1d0b3
 				p = HKEYDATA_DATA(P_ENTRY(dbp, h, i));
b1d0b3
-				for (end = p + len; p < end;) {
b1d0b3
+
b1d0b3
+				end = p + len;
b1d0b3
+				if (end > pgend)
b1d0b3
+					return (__db_pgfmt(env, pg));
b1d0b3
+
b1d0b3
+				while (p < end) {
b1d0b3
 					if (pgin) {
b1d0b3
 						P_16_SWAP(p);
b1d0b3
 						memcpy(&tmp,
b1d0b3
@@ -544,14 +562,20 @@
b1d0b3
 						SWAP16(p);
b1d0b3
 					}
b1d0b3
 					p += tmp;
b1d0b3
+					if (p >= end)
b1d0b3
+						return (__db_pgfmt(env, pg));
b1d0b3
 					SWAP16(p);
b1d0b3
 				}
b1d0b3
 				break;
b1d0b3
 			case H_OFFDUP:
b1d0b3
+				if ((inp[i] + HOFFDUP_SIZE) > pagesize)
b1d0b3
+					return (__db_pgfmt(env, pg));
b1d0b3
 				p = HOFFPAGE_PGNO(P_ENTRY(dbp, h, i));
b1d0b3
 				SWAP32(p);			/* pgno */
b1d0b3
 				break;
b1d0b3
 			case H_OFFPAGE:
b1d0b3
+				if ((inp[i] + HOFFPAGE_SIZE) > pagesize)
b1d0b3
+					return (__db_pgfmt(env, pg));
b1d0b3
 				p = HOFFPAGE_PGNO(P_ENTRY(dbp, h, i));
b1d0b3
 				SWAP32(p);			/* pgno */
b1d0b3
 				SWAP32(p);			/* tlen */
b1d0b3
@@ -559,7 +583,6 @@
b1d0b3
 			default:
b1d0b3
 				return (__db_pgfmt(env, pg));
b1d0b3
 			}
b1d0b3
-
b1d0b3
 		}
b1d0b3
 
b1d0b3
 		/*
b1d0b3
@@ -576,8 +599,12 @@
b1d0b3
 	case P_LDUP:
b1d0b3
 	case P_LRECNO:
b1d0b3
 		for (i = 0; i < NUM_ENT(h); i++) {
b1d0b3
+			if ((u_int8_t *)(inp + i) >= pgend)
b1d0b3
+				return (__db_pgfmt(env, pg));
b1d0b3
 			if (pgin)
b1d0b3
 				M_16_SWAP(inp[i]);
b1d0b3
+			if (inp[i] >= pagesize)
b1d0b3
+				return (__db_pgfmt(env, pg));
b1d0b3
 
b1d0b3
 			/*
b1d0b3
 			 * In the case of on-page duplicates, key information
b1d0b3
@@ -597,7 +624,7 @@
b1d0b3
 
b1d0b3
 			bk = GET_BKEYDATA(dbp, h, i);
b1d0b3
 			if ((u_int8_t *)bk >= pgend)
b1d0b3
-				continue;
b1d0b3
+				return (__db_pgfmt(env, pg));
b1d0b3
 			switch (B_TYPE(bk->type)) {
b1d0b3
 			case B_KEYDATA:
b1d0b3
 				M_16_SWAP(bk->len);
b1d0b3
@@ -605,6 +632,8 @@
b1d0b3
 			case B_DUPLICATE:
b1d0b3
 			case B_OVERFLOW:
b1d0b3
 				bo = (BOVERFLOW *)bk;
b1d0b3
+				if (((u_int8_t *)bo + BOVERFLOW_SIZE) > pgend)
b1d0b3
+					return (__db_pgfmt(env, pg));
b1d0b3
 				M_32_SWAP(bo->pgno);
b1d0b3
 				M_32_SWAP(bo->tlen);
b1d0b3
 				break;
b1d0b3
@@ -618,12 +647,17 @@
b1d0b3
 		break;
b1d0b3
 	case P_IBTREE:
b1d0b3
 		for (i = 0; i < NUM_ENT(h); i++) {
b1d0b3
+			if ((u_int8_t *)(inp + i) > pgend)
b1d0b3
+				return (__db_pgfmt(env, pg));
b1d0b3
 			if (pgin)
b1d0b3
 				M_16_SWAP(inp[i]);
b1d0b3
+			if ((u_int16_t)(inp[i] + 
b1d0b3
+			    BINTERNAL_SIZE(0) - 1) > pagesize)
b1d0b3
+				break;
b1d0b3
 
b1d0b3
 			bi = GET_BINTERNAL(dbp, h, i);
b1d0b3
-			if ((u_int8_t *)bi >= pgend)
b1d0b3
-				continue;
b1d0b3
+			if (((u_int8_t *)bi + BINTERNAL_SIZE(0)) > pgend)
b1d0b3
+				return (__db_pgfmt(env, pg));
b1d0b3
 
b1d0b3
 			M_16_SWAP(bi->len);
b1d0b3
 			M_32_SWAP(bi->pgno);
b1d0b3
@@ -634,6 +668,10 @@
b1d0b3
 				break;
b1d0b3
 			case B_DUPLICATE:
b1d0b3
 			case B_OVERFLOW:
b1d0b3
+				if ((u_int16_t)(inp[i] + 
b1d0b3
+				    BINTERNAL_SIZE(BOVERFLOW_SIZE) - 1) >
b1d0b3
+				    pagesize)
b1d0b3
+					goto out;
b1d0b3
 				bo = (BOVERFLOW *)bi->data;
b1d0b3
 				M_32_SWAP(bo->pgno);
b1d0b3
 				M_32_SWAP(bo->tlen);
b1d0b3
@@ -648,12 +686,16 @@
b1d0b3
 		break;
b1d0b3
 	case P_IRECNO:
b1d0b3
 		for (i = 0; i < NUM_ENT(h); i++) {
b1d0b3
+			if ((u_int8_t *)(inp + i) >= pgend)
b1d0b3
+				return (__db_pgfmt(env, pg));
b1d0b3
 			if (pgin)
b1d0b3
 				M_16_SWAP(inp[i]);
b1d0b3
+			if (inp[i] >= pagesize)
b1d0b3
+				return (__db_pgfmt(env, pg));
b1d0b3
 
b1d0b3
 			ri = GET_RINTERNAL(dbp, h, i);
b1d0b3
-			if ((u_int8_t *)ri >= pgend)
b1d0b3
-				continue;
b1d0b3
+			if ((((u_int8_t *)ri) + RINTERNAL_SIZE) > pgend)
b1d0b3
+				return (__db_pgfmt(env, pg));
b1d0b3
 
b1d0b3
 			M_32_SWAP(ri->pgno);
b1d0b3
 			M_32_SWAP(ri->nrecs);
b1d0b3
--- db-18.1.32/src/db/db_vrfy.c	2019-02-20 03:21:20.000000000 +0530
b1d0b3
+++ db-18.1.40/src/db/db_vrfy.c	2020-05-29 23:28:22.000000000 +0530
b1d0b3
@@ -381,8 +381,10 @@
b1d0b3
 		    vdp, name, 0, lp, rp, flags)) != 0) {
b1d0b3
 			if (t_ret == DB_VERIFY_BAD)
b1d0b3
 				isbad = 1;
b1d0b3
+			else {
b1d0b3
+			    ret = t_ret;
b1d0b3
+			    goto err;
b1d0b3
+			}
b1d0b3
-			else
b1d0b3
-				goto err;
b1d0b3
 		}
b1d0b3
 
b1d0b3
 	/*
b1d0b3
@@ -771,9 +773,10 @@
b1d0b3
 		 */
b1d0b3
 		if ((t_ret = __memp_fget(mpf, &i,
b1d0b3
 		    vdp->thread_info, NULL, 0, &h)) != 0) {
b1d0b3
+			if ((dbp->type == DB_HASH ||
b1d0b3
-			if (dbp->type == DB_HASH ||
b1d0b3
 			    (dbp->type == DB_QUEUE &&
b1d0b3
+			    F_ISSET(dbp, DB_AM_INMEM))) &&
b1d0b3
+			    t_ret != DB_RUNRECOVERY) {
b1d0b3
-			    F_ISSET(dbp, DB_AM_INMEM))) {
b1d0b3
 				if ((t_ret =
b1d0b3
 				    __db_vrfy_getpageinfo(vdp, i, &pip)) != 0)
b1d0b3
 					goto err1;
b1d0b3
@@ -945,6 +948,8 @@
b1d0b3
 			return (ret == 0 ? t_ret : ret);
b1d0b3
 	}
b1d0b3
 
b1d0b3
+	if (ret == DB_PAGE_NOTFOUND && isbad == 1)
b1d0b3
+		ret = 0;
b1d0b3
 	return ((isbad == 1 && ret == 0) ? DB_VERIFY_BAD : ret);
b1d0b3
 }
b1d0b3
 
b1d0b3
@@ -1581,7 +1586,7 @@
b1d0b3
 	if (pgno == PGNO_BASE_MD &&
b1d0b3
 	    dbtype != DB_QUEUE && meta->last_pgno != vdp->last_pgno) {
b1d0b3
 #ifdef HAVE_FTRUNCATE
b1d0b3
+		ret = DB_VERIFY_FATAL;
b1d0b3
-		isbad = 1;
b1d0b3
 		EPRINT((env, DB_STR_A("0552",
b1d0b3
 		    "Page %lu: last_pgno is not correct: %lu != %lu",
b1d0b3
 		    "%lu %lu %lu"), (u_long)pgno,
b1d0b3
@@ -1622,7 +1627,11 @@
b1d0b3
 
b1d0b3
 	env = dbp->env;
b1d0b3
 	pgset = vdp->pgset;
b1d0b3
+	if (pgset == NULL) {
b1d0b3
+		EPRINT((env, DB_STR("5543",
b1d0b3
+			"Error, database contains no visible pages.")));
b1d0b3
+		return (DB_RUNRECOVERY);
b1d0b3
+	}
b1d0b3
-	DB_ASSERT(env, pgset != NULL);
b1d0b3
 
b1d0b3
 	if ((ret = __db_vrfy_getpageinfo(vdp, meta, &pip)) != 0)
b1d0b3
 		return (ret);
b1d0b3
@@ -2014,7 +2023,8 @@
b1d0b3
 	int keyflag, ret, t_ret;
b1d0b3
 
b1d0b3
 	env = dbp->env;
b1d0b3
+	if (!LF_ISSET(DB_SALVAGE))
b1d0b3
+		return (EINVAL);
b1d0b3
-	DB_ASSERT(env, LF_ISSET(DB_SALVAGE));
b1d0b3
 
b1d0b3
 	/*
b1d0b3
 	 * !!!
b1d0b3
@@ -2126,10 +2136,8 @@
b1d0b3
 	int (*callback) __P((void *, const void *));
b1d0b3
 	u_int32_t flags;
b1d0b3
 {
b1d0b3
-	ENV *env;
b1d0b3
-
b1d0b3
-	env = dbp->env;
b1d0b3
-	DB_ASSERT(env, LF_ISSET(DB_SALVAGE));
b1d0b3
+	if (!LF_ISSET(DB_SALVAGE))
b1d0b3
+		return (EINVAL);
b1d0b3
 
b1d0b3
 	/* If we got this page in the subdb pass, we can safely skip it. */
b1d0b3
 	if (__db_salvage_isdone(vdp, pgno))
b1d0b3
@@ -2242,8 +2253,8 @@
b1d0b3
 				ret = t_ret;
b1d0b3
 			break;
b1d0b3
 		case SALVAGE_OVERFLOW:
b1d0b3
+			EPRINT((env, DB_STR("5544", "Invalid page type to salvage.")));
b1d0b3
+			return (EINVAL);
b1d0b3
-			DB_ASSERT(env, 0);	/* Shouldn't ever happen. */
b1d0b3
-			break;
b1d0b3
 		case SALVAGE_HASH:
b1d0b3
 			if ((t_ret = __ham_salvage(dbp, vdp,
b1d0b3
 			    pgno, h, handle, callback, flags)) != 0 && ret == 0)
b1d0b3
@@ -2256,8 +2267,8 @@
b1d0b3
 			 * Shouldn't happen, but if it does, just do what the
b1d0b3
 			 * nice man says.
b1d0b3
 			 */
b1d0b3
+			EPRINT((env, DB_STR("5545", "Invalid page type to salvage.")));
b1d0b3
+			return (EINVAL);
b1d0b3
-			DB_ASSERT(env, 0);
b1d0b3
-			break;
b1d0b3
 		}
b1d0b3
 		if ((t_ret = __memp_fput(mpf,
b1d0b3
 		    vdp->thread_info, h, dbp->priority)) != 0 && ret == 0)
b1d0b3
@@ -2303,8 +2314,8 @@
b1d0b3
 					ret = t_ret;
b1d0b3
 			break;
b1d0b3
 		default:
b1d0b3
+			EPRINT((env, DB_STR("5546", "Invalid page type to salvage.")));
b1d0b3
+			return (EINVAL);
b1d0b3
-			DB_ASSERT(env, 0);	/* Shouldn't ever happen. */
b1d0b3
-			break;
b1d0b3
 		}
b1d0b3
 		if ((t_ret = __memp_fput(mpf,
b1d0b3
 		    vdp->thread_info, h, dbp->priority)) != 0 && ret == 0)
b1d0b3
@@ -2361,7 +2372,10 @@
b1d0b3
 
b1d0b3
 	env = dbp->env;
b1d0b3
 
b1d0b3
+	if (himarkp == NULL) {
b1d0b3
+		__db_msg(env, "Page %lu index has no end.", (u_long)pgno);
b1d0b3
+		return (DB_VERIFY_FATAL);
b1d0b3
+	}
b1d0b3
-	DB_ASSERT(env, himarkp != NULL);
b1d0b3
 	inp = P_INP(dbp, h);
b1d0b3
 
b1d0b3
 	/*
b1d0b3
@@ -2783,7 +2797,11 @@
b1d0b3
 					goto err;
b1d0b3
 				ovfl_bufsz = bkkey->len + 1;
b1d0b3
 			}
b1d0b3
+			if (subdbname == NULL) {
b1d0b3
+				EPRINT((env, DB_STR("5547", "Subdatabase cannot be null.")));
b1d0b3
+				ret = EINVAL;
b1d0b3
+				goto err;
b1d0b3
+			}
b1d0b3
-			DB_ASSERT(env, subdbname != NULL);
b1d0b3
 			memcpy(subdbname, bkkey->data, bkkey->len);
b1d0b3
 			subdbname[bkkey->len] = '\0';
b1d0b3
 		}
b1d0b3
--- db-18.1.32/src/db/db_vrfyutil.c	2019-02-20 03:21:20.000000000 +0530
b1d0b3
+++ db-18.1.40/src/db/db_vrfyutil.c	2020-05-29 23:28:22.000000000 +0530
b1d0b3
@@ -214,7 +214,8 @@
b1d0b3
 	if ((ret = __db_get(pgdbp,
b1d0b3
 	    vdp->thread_info, vdp->txn, &key, &data, 0)) == 0) {
b1d0b3
 		/* Found it. */
b1d0b3
+		if (data.size != sizeof(VRFY_PAGEINFO))
b1d0b3
+			return (DB_VERIFY_FATAL);
b1d0b3
-		DB_ASSERT(env, data.size == sizeof(VRFY_PAGEINFO));
b1d0b3
 		pip = data.data;
b1d0b3
 		LIST_INSERT_HEAD(&vdp->activepips, pip, links);
b1d0b3
 		goto found;
b1d0b3
@@ -342,7 +343,8 @@
b1d0b3
 	F_SET(&data, DB_DBT_USERMEM);
b1d0b3
 
b1d0b3
 	if ((ret = __db_get(dbp, ip, txn, &key, &data, 0)) == 0) {
b1d0b3
+		if (data.size != sizeof(int))
b1d0b3
+			return (EINVAL);
b1d0b3
-		DB_ASSERT(dbp->env, data.size == sizeof(int));
b1d0b3
 	} else if (ret == DB_NOTFOUND)
b1d0b3
 		val = 0;
b1d0b3
 	else
b1d0b3
@@ -382,7 +384,8 @@
b1d0b3
 	F_SET(&data, DB_DBT_USERMEM);
b1d0b3
 
b1d0b3
 	if ((ret = __db_get(dbp, ip, txn, &key, &data, 0)) == 0) {
b1d0b3
+		if (data.size != sizeof(int))
b1d0b3
+			return (DB_VERIFY_FATAL);
b1d0b3
-		DB_ASSERT(dbp->env, data.size == sizeof(int));
b1d0b3
 	} else if (ret != DB_NOTFOUND)
b1d0b3
 		return (ret);
b1d0b3
 
b1d0b3
@@ -419,7 +422,8 @@
b1d0b3
 	if ((ret = __dbc_get(dbc, &key, &data, DB_NEXT)) != 0)
b1d0b3
 		return (ret);
b1d0b3
 
b1d0b3
+	if (key.size != sizeof(db_pgno_t))
b1d0b3
+		return (DB_VERIFY_FATAL);
b1d0b3
-	DB_ASSERT(dbc->env, key.size == sizeof(db_pgno_t));
b1d0b3
 	*pgnop = pgno;
b1d0b3
 
b1d0b3
 	return (0);
b1d0b3
@@ -566,7 +570,8 @@
b1d0b3
 	if ((ret = __dbc_get(dbc, &key, &data, DB_SET)) != 0)
b1d0b3
 		return (ret);
b1d0b3
 
b1d0b3
+	if (data.size != sizeof(VRFY_CHILDINFO))
b1d0b3
+		return (DB_VERIFY_FATAL);
b1d0b3
-	DB_ASSERT(dbc->env, data.size == sizeof(VRFY_CHILDINFO));
b1d0b3
 	*cipp = (VRFY_CHILDINFO *)data.data;
b1d0b3
 
b1d0b3
 	return (0);
b1d0b3
@@ -594,7 +599,8 @@
b1d0b3
 	if ((ret = __dbc_get(dbc, &key, &data, DB_NEXT_DUP)) != 0)
b1d0b3
 		return (ret);
b1d0b3
 
b1d0b3
+	if (data.size != sizeof(VRFY_CHILDINFO))
b1d0b3
+		return (DB_VERIFY_FATAL);
b1d0b3
-	DB_ASSERT(dbc->env, data.size == sizeof(VRFY_CHILDINFO));
b1d0b3
 	*cipp = (VRFY_CHILDINFO *)data.data;
b1d0b3
 
b1d0b3
 	return (0);
b1d0b3
@@ -721,7 +727,8 @@
b1d0b3
 		return (ret);
b1d0b3
 
b1d0b3
 	while ((ret = __dbc_get(*dbcp, &key, &data, DB_NEXT)) == 0) {
b1d0b3
+		if (data.size != sizeof(u_int32_t))
b1d0b3
+			return (DB_VERIFY_FATAL);
b1d0b3
-		DB_ASSERT(dbp->env, data.size == sizeof(u_int32_t));
b1d0b3
 		memcpy(&pgtype, data.data, sizeof(pgtype));
b1d0b3
 
b1d0b3
 		if (skip_overflow && pgtype == SALVAGE_OVERFLOW)
b1d0b3
@@ -730,8 +737,9 @@
b1d0b3
 		if ((ret = __dbc_del(*dbcp, 0)) != 0)
b1d0b3
 			return (ret);
b1d0b3
 		if (pgtype != SALVAGE_IGNORE) {
b1d0b3
+			if (key.size != sizeof(db_pgno_t)
b1d0b3
+				|| data.size != sizeof(u_int32_t))
b1d0b3
+				return (DB_VERIFY_FATAL);
b1d0b3
-			DB_ASSERT(dbp->env, key.size == sizeof(db_pgno_t));
b1d0b3
-			DB_ASSERT(dbp->env, data.size == sizeof(u_int32_t));
b1d0b3
 
b1d0b3
 			*pgnop = *(db_pgno_t *)key.data;
b1d0b3
 			*pgtypep = *(u_int32_t *)data.data;
b1d0b3
--- db-18.1.32/src/db/partition.c	2019-02-20 03:21:20.000000000 +0530
b1d0b3
+++ db-18.1.40/src/db/partition.c	2020-05-29 23:28:22.000000000 +0530
b1d0b3
@@ -461,9 +461,19 @@
b1d0b3
 		} else
b1d0b3
 			part->nparts = meta->nparts;
b1d0b3
 	} else if (meta->nparts != 0 && part->nparts != meta->nparts) {
b1d0b3
+		ret = EINVAL;
b1d0b3
 		__db_errx(env, DB_STR("0656",
b1d0b3
 		    "Number of partitions does not match."));
b1d0b3
-		ret = EINVAL;
b1d0b3
+		goto err;
b1d0b3
+	}
b1d0b3
+	/*
b1d0b3
+	 * There is no limit on the number of partitions, but I cannot imagine a real
b1d0b3
+	 * database having more than 10000.
b1d0b3
+	 */
b1d0b3
+	if (meta->nparts > 10000) {
b1d0b3
+		ret = EINVAL;
b1d0b3
+		__db_errx(env, DB_STR_A("5553",
b1d0b3
+			"Too many partitions %lu", "%lu"), (u_long)(meta->nparts));
b1d0b3
 		goto err;
b1d0b3
 	}
b1d0b3
 
b1d0b3
@@ -2106,10 +2116,13 @@
b1d0b3
 			memcpy(rp->data, key->data, key->size);
b1d0b3
 			B_TSET(rp->type, B_KEYDATA);
b1d0b3
 		}
b1d0b3
+vrfy:   if ((t_ret = __db_verify(*pdbp, ip, (*pdbp)->fname,
b1d0b3
+	      NULL, handle, callback,
b1d0b3
+	      lp, rp, flags | DB_VERIFY_PARTITION)) != 0 && ret == 0) {
b1d0b3
+	        ret = t_ret;
b1d0b3
+            if (ret == ENOENT)
b1d0b3
+                break;
b1d0b3
+	    }
b1d0b3
-vrfy:		if ((t_ret = __db_verify(*pdbp, ip, (*pdbp)->fname,
b1d0b3
-		    NULL, handle, callback,
b1d0b3
-		    lp, rp, flags | DB_VERIFY_PARTITION)) != 0 && ret == 0)
b1d0b3
-			ret = t_ret;
b1d0b3
 	}
b1d0b3
 
b1d0b3
 err:	if (lp != NULL)
b1d0b3
--- db-18.1.32/src/hash/hash_page.c	2019-02-20 03:21:20.000000000 +0530
b1d0b3
+++ db-18.1.40/src/hash/hash_page.c	2020-05-29 23:28:22.000000000 +0530
b1d0b3
@@ -869,7 +869,11 @@
b1d0b3
 	/* Validate that next, prev pointers are OK */
b1d0b3
 	n = NUM_ENT(p);
b1d0b3
 	dbp = dbc->dbp;
b1d0b3
+	if (n % 2 != 0) {
b1d0b3
+		__db_errx(dbp->env, DB_STR_A("5549",
b1d0b3
+		  "Odd number of entries on page: %lu", "%lu"), (u_long)(p->pgno));
b1d0b3
+		return (DB_VERIFY_FATAL);
b1d0b3
+	}
b1d0b3
-	DB_ASSERT(dbp->env, n%2 == 0 );
b1d0b3
 
b1d0b3
 	env = dbp->env;
b1d0b3
 	t = dbp->h_internal;
b1d0b3
@@ -940,7 +944,12 @@
b1d0b3
 			if ((ret = __db_prpage(dbp, p, DB_PR_PAGE)) != 0)
b1d0b3
 				return (ret);
b1d0b3
 #endif
b1d0b3
+			if (res >= 0) {
b1d0b3
+				__db_errx(env, DB_STR_A("5550",
b1d0b3
+					"Odd number of entries on page: %lu", "%lu"),
b1d0b3
+					(u_long)p->pgno);
b1d0b3
+				return (DB_VERIFY_FATAL);
b1d0b3
+			}
b1d0b3
-			DB_ASSERT(dbp->env, res < 0);
b1d0b3
 		}
b1d0b3
 
b1d0b3
 		prev = curr;
b1d0b3
--- db-18.1.32/src/hash/hash_verify.c	2019-02-20 03:21:20.000000000 +0530
b1d0b3
+++ db-18.1.40/src/hash/hash_verify.c	2020-05-29 23:28:22.000000000 +0530
b1d0b3
@@ -615,7 +615,7 @@
b1d0b3
 				isbad = 1;
b1d0b3
 			else
b1d0b3
 				goto err;
b1d0b3
+		}
b1d0b3
-		    }
b1d0b3
 
b1d0b3
 	/*
b1d0b3
 	 * There may be unused hash pages corresponding to buckets
b1d0b3
@@ -746,7 +746,7 @@
b1d0b3
 		    "Page %lu: impossible first page in bucket %lu", "%lu %lu"),
b1d0b3
 		    (u_long)pgno, (u_long)bucket));
b1d0b3
 		/* Unsafe to continue. */
b1d0b3
+		ret = DB_VERIFY_FATAL;
b1d0b3
-		isbad = 1;
b1d0b3
 		goto err;
b1d0b3
 	}
b1d0b3
 
b1d0b3
@@ -776,7 +776,7 @@
b1d0b3
 			EPRINT((env, DB_STR_A("1116",
b1d0b3
 			    "Page %lu: hash page referenced twice", "%lu"),
b1d0b3
 			    (u_long)pgno));
b1d0b3
+			ret = DB_VERIFY_FATAL;
b1d0b3
-			isbad = 1;
b1d0b3
 			/* Unsafe to continue. */
b1d0b3
 			goto err;
b1d0b3
 		} else if ((ret = __db_vrfy_pgset_inc(vdp->pgset,
b1d0b3
@@ -1307,7 +1307,11 @@
b1d0b3
 	COMPQUIET(flags, 0);
b1d0b3
 	ip = vdp->thread_info;
b1d0b3
 
b1d0b3
+	if (pgset == NULL) {
b1d0b3
+		EPRINT((dbp->env, DB_STR("5548",
b1d0b3
+			"Error, database contains no visible pages.")));
b1d0b3
+		return (DB_VERIFY_FATAL);
b1d0b3
+	}
b1d0b3
-	DB_ASSERT(dbp->env, pgset != NULL);
b1d0b3
 
b1d0b3
 	mpf = dbp->mpf;
b1d0b3
 	totpgs = 0;
b1d0b3
--- db-18.1.32/src/qam/qam_verify.c	2019-02-20 03:21:20.000000000 +0530
b1d0b3
+++ db-18.1.40/src/qam/qam_verify.c	2020-05-29 23:28:22.000000000 +0530
b1d0b3
@@ -465,7 +465,14 @@
b1d0b3
 	/* Verify/salvage each page. */
b1d0b3
 	if ((ret = __db_cursor(dbp, vdp->thread_info, NULL, &dbc, 0)) != 0)
b1d0b3
 		return (ret);
b1d0b3
-begin:	for (; i <= stop; i++) {
b1d0b3
+begin:	if ((stop - i) > 100000) {
b1d0b3
+		EPRINT((env, DB_STR_A("5551",
b1d0b3
+"Warning, many possible extends files (%lu), will take a long time to verify",
b1d0b3
+          "%lu"), (u_long)(stop - i)));
b1d0b3
+	}
b1d0b3
+	for (; i <= stop; i++) {
b1d0b3
+		if (i == UINT32_MAX)
b1d0b3
+			break;
b1d0b3
 		/*
b1d0b3
 		 * If DB_SALVAGE is set, we inspect our database of completed
b1d0b3
 		 * pages, and skip any we've already printed in the subdb pass.