Details
-
Bug
-
Resolution: Fixed
-
Critical
-
2.5.1
-
Security Level: Public
-
None
-
Untriaged
-
Unknown
Description
If the path to a database file is more than 250 bytes long, and auto-compaction is enabled, the stack will be corrupted, probably causing a crash. The reason is that compactor_is_valid_mode() copies the path into a stack buffer 256 bytes long and then appends a 5-byte suffix to it.
The buffer needs to be bigger. I suggest using MAXPATHLEN as the size, at least on Unix systems; it's a common Unix constant defined in <sys/param.h>. On Apple platforms the value is 1024.
Backtrace of the crash in the iOS simulator looks like this; apparently __assert_rtn is an OS stack sanity check.
- thread #1: tid = 0x6112d, 0x0269969e libsystem_kernel.dylib`__pthread_kill + 10, queue = 'com.apple.main-thread', stop reason = signal SIGABRT
frame #0: 0x0269969e libsystem_kernel.dylib`__pthread_kill + 10
frame #1: 0x0265e2c1 libsystem_pthread.dylib`pthread_kill + 101
frame #2: 0x023a59c9 libsystem_sim_c.dylib`abort + 127
frame #3: 0x0237053b libsystem_sim_c.dylib`__assert_rtn + 284 - frame #4: 0x000b3644 HeadlessBee`compactor_is_valid_mode(filename=<unavailable>, config=<unavailable>) + 276 at compactor.cc:774
frame #5: 0x000bafd9 HeadlessBee`_fdb_open(handle=<unavailable>, filename=<unavailable>, config=0xbfff8ee0) + 201 at forestdb.cc:842
frame #6: 0x000baede HeadlessBee`fdb_open(ptr_handle=<unavailable>, filename=<unavailable>, fconfig=0xbfff9010) + 158 at forestdb.cc:528
The actual path causing the crash (251 bytes long) was:
/Volumes/Retina2/Users/snej/Library/Developer/CoreSimulator/Devices/F889372A-F7E8-4534-B6B3-C3E23EFE528C/data/Applications/988D316C-31F3-4A05-8EDC-79C86061C7C9/Library/Application Support/CouchbaseLite/test13_itunesindex-db.cblite2/x:artists.viewindex