From 32c63077a457d3a639b47329635a374b91a5f91d Mon Sep 17 00:00:00 2001
From: Leo Yuriev <leo@yuriev.ru>
Date: Wed, 25 Jul 2018 11:15:03 +0300
Subject: [PATCH] mdbx: check page bound inside mdbx_page_get().

Change-Id: I7649c3c65c19013e1b367e7554fbe823ea0511d2
---
 src/mdbx.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/mdbx.c b/src/mdbx.c
index 2ba38d26..dd56e921 100644
--- a/src/mdbx.c
+++ b/src/mdbx.c
@@ -6352,9 +6352,13 @@ static int mdbx_page_get(MDBX_cursor *mc, pgno_t pgno, MDBX_page **ret,
 
 mapped:
   p = pgno2page(env, pgno);
-  /* TODO: check p->mp_validator here */
 
 done:
+  if (unlikely(p->mp_upper < p->mp_lower ||
+               PAGEHDRSZ + p->mp_upper > env->me_psize))
+    return MDBX_CORRUPTED;
+  /* TODO: more checks here, including p->mp_validator */
+
   *ret = p;
   if (lvl)
     *lvl = level;