archrelease: copy trunk to extra-x86_64
[arch-packages.git] / db5.3 / repos / core-x86_64 / db-5.3.28_cve-2019-2708.patch
blob341cb4b6ab4184f113db1c8ddddc8edd8f794a33
1 --- db-18.1.32/src/btree/bt_cursor.c 2019-02-20 03:21:20.000000000 +0530
2 +++ db-18.1.40/src/btree/bt_cursor.c 2020-05-29 23:28:22.000000000 +0530
3 @@ -282,6 +282,8 @@
5 * Recno uses the btree bt_ovflsize value -- it's close enough.
6 */
7 + if (t->bt_minkey == 0)
8 + return (DB_RECOVER);
9 cp->ovflsize = B_MINKEY_TO_OVFLSIZE(
10 dbp, F_ISSET(dbc, DBC_OPD) ? 2 : t->bt_minkey, dbp->pgsize);
12 --- db-18.1.32/src/btree/bt_verify.c 2019-02-20 03:21:20.000000000 +0530
13 +++ db-18.1.40/src/btree/bt_verify.c 2020-05-29 23:28:22.000000000 +0530
14 @@ -700,7 +700,11 @@
15 isbad = 1;
16 goto err;
17 default:
18 + if (ret == 0) {
19 + isbad = 1;
20 + ret = DB_VERIFY_FATAL;
21 + goto err;
22 + }
23 - DB_ASSERT(env, ret != 0);
24 break;
27 @@ -1074,7 +1078,7 @@
28 DBT dbta, dbtb, dup_1, dup_2, *p1, *p2, *tmp;
29 ENV *env;
30 PAGE *child;
31 + db_pgno_t cpgno, grandparent;
32 - db_pgno_t cpgno;
33 VRFY_PAGEINFO *pip;
34 db_indx_t i, *inp;
35 int adj, cmp, freedup_1, freedup_2, isbad, ret, t_ret;
36 @@ -1106,7 +1110,8 @@
38 buf1 = buf2 = NULL;
40 + if (LF_ISSET(DB_NOORDERCHK))
41 + return (EINVAL);
42 - DB_ASSERT(env, !LF_ISSET(DB_NOORDERCHK));
44 dupfunc = (dbp->dup_compare == NULL) ? __bam_defcmp : dbp->dup_compare;
45 if (TYPE(h) == P_LDUP)
46 @@ -1115,6 +1120,7 @@
47 func = __bam_defcmp;
48 if (dbp->bt_internal != NULL) {
49 bt = (BTREE *)dbp->bt_internal;
50 + grandparent = bt->bt_root;
51 if (TYPE(h) == P_IBTREE && (bt->bt_compare != NULL ||
52 dupfunc != __bam_defcmp)) {
54 @@ -974,8 +980,24 @@
56 mpf = dbp->mpf;
57 child = h;
58 + cpgno = pgno;
59 while (TYPE(child) == P_IBTREE) {
60 + if (NUM_ENT(child) == 0) {
61 + EPRINT((env, DB_STR_A("1088",
62 + "Page %lu: internal page is empty and should not be",
63 + "%lu"), (u_long)cpgno));
64 + ret = DB_VERIFY_BAD;
65 + goto err;
66 + }
67 bi = GET_BINTERNAL(dbp, child, 0);
68 + if (grandparent == bi->pgno) {
69 + EPRINT((env, DB_STR_A("5552",
70 + "Page %lu: found twice in the btree",
71 + "%lu"), (u_long)grandparent));
72 + ret = DB_VERIFY_FATAL;
73 + goto err;
74 + } else
75 + grandparent = cpgno;
76 cpgno = bi->pgno;
77 if (child != h &&
78 (ret = __memp_fput(mpf,
79 @@ -1402,7 +1416,10 @@
81 if (dup_1.data == NULL ||
82 dup_2.data == NULL) {
83 + if (ovflok) {
84 + isbad = 1;
85 + goto err;
86 + }
87 - DB_ASSERT(env, !ovflok);
88 if (pip != NULL)
89 F_SET(pip,
90 VRFY_INCOMPLETE);
91 @@ -1747,9 +1764,10 @@
92 (ret = __db_vrfy_ovfl_structure(dbp, vdp,
93 child->pgno, child->tlen,
94 flags | DB_ST_OVFL_LEAF)) != 0) {
95 + if (ret == DB_VERIFY_BAD) {
96 - if (ret == DB_VERIFY_BAD)
97 isbad = 1;
98 + break;
99 + } else
100 - else
101 goto done;
104 @@ -1823,9 +1841,10 @@
105 stflags | DB_ST_TOPLEVEL,
106 NULL, NULL, NULL)) != 0) {
107 if (ret ==
108 + DB_VERIFY_BAD) {
109 - DB_VERIFY_BAD)
110 isbad = 1;
111 + break;
112 + } else
113 - else
114 goto err;
117 @@ -1969,7 +1988,10 @@
120 /* Otherwise, __db_vrfy_childput would be broken. */
121 + if (child->refcnt < 1) {
122 + isbad = 1;
123 + goto err;
125 - DB_ASSERT(env, child->refcnt >= 1);
128 * An overflow referenced more than twice here
129 @@ -1986,9 +2008,10 @@
130 if ((ret = __db_vrfy_ovfl_structure(dbp,
131 vdp, child->pgno, child->tlen,
132 flags)) != 0) {
133 + if (ret == DB_VERIFY_BAD) {
134 - if (ret == DB_VERIFY_BAD)
135 isbad = 1;
136 + break;
137 + } else
138 - else
139 goto done;
142 @@ -2026,9 +2049,10 @@
143 if ((ret = __bam_vrfy_subtree(dbp, vdp, li->pgno,
144 i == 0 ? NULL : li, ri, flags, &child_level,
145 &child_nrecs, NULL)) != 0) {
146 + if (ret == DB_VERIFY_BAD) {
147 - if (ret == DB_VERIFY_BAD)
148 isbad = 1;
149 + break;
150 + } else
151 - else
152 goto done;
155 @@ -2929,7 +2953,11 @@
156 db_pgno_t current, p;
157 int err_ret, ret;
159 + if (pgset == NULL) {
160 + EPRINT((dbp->env, DB_STR("5542",
161 + "Error, database contains no visible pages.")));
162 + return (DB_RUNRECOVERY);
164 - DB_ASSERT(dbp->env, pgset != NULL);
166 mpf = dbp->mpf;
167 h = NULL;
168 --- db-18.1.32/src/db/db_conv.c 2019-02-20 03:21:20.000000000 +0530
169 +++ db-18.1.40/src/db/db_conv.c 2020-05-29 23:28:22.000000000 +0530
170 @@ -493,8 +493,11 @@
171 db_indx_t i, *inp, len, tmp;
172 u_int8_t *end, *p, *pgend;
174 - if (pagesize == 0)
175 - return (0);
176 + /* This function is also used to byteswap logs, so
177 + * the pagesize might not be an actual page size.
178 + */
179 + if (!(pagesize >= 24 && pagesize <= DB_MAX_PGSIZE))
180 + return (EINVAL);
182 if (pgin) {
183 M_32_SWAP(h->lsn.file);
184 @@ -513,26 +516,41 @@
185 pgend = (u_int8_t *)h + pagesize;
187 inp = P_INP(dbp, h);
188 - if ((u_int8_t *)inp >= pgend)
189 - goto out;
190 + if ((u_int8_t *)inp > pgend)
191 + return (__db_pgfmt(env, pg));
193 switch (TYPE(h)) {
194 case P_HASH_UNSORTED:
195 case P_HASH:
196 for (i = 0; i < NUM_ENT(h); i++) {
197 + if ((u_int8_t*)(inp + i) >= pgend)
198 + return (__db_pgfmt(env, pg));
199 + if (inp[i] == 0)
200 + continue;
201 if (pgin)
202 M_16_SWAP(inp[i]);
203 + if (inp[i] >= pagesize)
204 + return (__db_pgfmt(env, pg));
206 - if (P_ENTRY(dbp, h, i) >= pgend)
207 - continue;
208 + if (P_ENTRY(dbp, h, i) >= pgend)
209 + return (__db_pgfmt(env, pg));
211 switch (HPAGE_TYPE(dbp, h, i)) {
212 case H_KEYDATA:
213 break;
214 case H_DUPLICATE:
215 + if (LEN_HITEM(dbp, h, pagesize, i) <
216 + HKEYDATA_SIZE(0))
217 + return (__db_pgfmt(env, pg));
219 len = LEN_HKEYDATA(dbp, h, pagesize, i);
220 p = HKEYDATA_DATA(P_ENTRY(dbp, h, i));
221 - for (end = p + len; p < end;) {
223 + end = p + len;
224 + if (end > pgend)
225 + return (__db_pgfmt(env, pg));
227 + while (p < end) {
228 if (pgin) {
229 P_16_SWAP(p);
230 memcpy(&tmp,
231 @@ -544,14 +562,20 @@
232 SWAP16(p);
234 p += tmp;
235 + if (p >= end)
236 + return (__db_pgfmt(env, pg));
237 SWAP16(p);
239 break;
240 case H_OFFDUP:
241 + if ((inp[i] + HOFFDUP_SIZE) > pagesize)
242 + return (__db_pgfmt(env, pg));
243 p = HOFFPAGE_PGNO(P_ENTRY(dbp, h, i));
244 SWAP32(p); /* pgno */
245 break;
246 case H_OFFPAGE:
247 + if ((inp[i] + HOFFPAGE_SIZE) > pagesize)
248 + return (__db_pgfmt(env, pg));
249 p = HOFFPAGE_PGNO(P_ENTRY(dbp, h, i));
250 SWAP32(p); /* pgno */
251 SWAP32(p); /* tlen */
252 @@ -559,7 +583,6 @@
253 default:
254 return (__db_pgfmt(env, pg));
260 @@ -576,8 +599,12 @@
261 case P_LDUP:
262 case P_LRECNO:
263 for (i = 0; i < NUM_ENT(h); i++) {
264 + if ((u_int8_t *)(inp + i) >= pgend)
265 + return (__db_pgfmt(env, pg));
266 if (pgin)
267 M_16_SWAP(inp[i]);
268 + if (inp[i] >= pagesize)
269 + return (__db_pgfmt(env, pg));
272 * In the case of on-page duplicates, key information
273 @@ -597,7 +624,7 @@
275 bk = GET_BKEYDATA(dbp, h, i);
276 if ((u_int8_t *)bk >= pgend)
277 - continue;
278 + return (__db_pgfmt(env, pg));
279 switch (B_TYPE(bk->type)) {
280 case B_KEYDATA:
281 M_16_SWAP(bk->len);
282 @@ -605,6 +632,8 @@
283 case B_DUPLICATE:
284 case B_OVERFLOW:
285 bo = (BOVERFLOW *)bk;
286 + if (((u_int8_t *)bo + BOVERFLOW_SIZE) > pgend)
287 + return (__db_pgfmt(env, pg));
288 M_32_SWAP(bo->pgno);
289 M_32_SWAP(bo->tlen);
290 break;
291 @@ -618,12 +647,17 @@
292 break;
293 case P_IBTREE:
294 for (i = 0; i < NUM_ENT(h); i++) {
295 + if ((u_int8_t *)(inp + i) > pgend)
296 + return (__db_pgfmt(env, pg));
297 if (pgin)
298 M_16_SWAP(inp[i]);
299 + if ((u_int16_t)(inp[i] +
300 + BINTERNAL_SIZE(0) - 1) > pagesize)
301 + break;
303 bi = GET_BINTERNAL(dbp, h, i);
304 - if ((u_int8_t *)bi >= pgend)
305 - continue;
306 + if (((u_int8_t *)bi + BINTERNAL_SIZE(0)) > pgend)
307 + return (__db_pgfmt(env, pg));
309 M_16_SWAP(bi->len);
310 M_32_SWAP(bi->pgno);
311 @@ -634,6 +668,10 @@
312 break;
313 case B_DUPLICATE:
314 case B_OVERFLOW:
315 + if ((u_int16_t)(inp[i] +
316 + BINTERNAL_SIZE(BOVERFLOW_SIZE) - 1) >
317 + pagesize)
318 + goto out;
319 bo = (BOVERFLOW *)bi->data;
320 M_32_SWAP(bo->pgno);
321 M_32_SWAP(bo->tlen);
322 @@ -648,12 +686,16 @@
323 break;
324 case P_IRECNO:
325 for (i = 0; i < NUM_ENT(h); i++) {
326 + if ((u_int8_t *)(inp + i) >= pgend)
327 + return (__db_pgfmt(env, pg));
328 if (pgin)
329 M_16_SWAP(inp[i]);
330 + if (inp[i] >= pagesize)
331 + return (__db_pgfmt(env, pg));
333 ri = GET_RINTERNAL(dbp, h, i);
334 - if ((u_int8_t *)ri >= pgend)
335 - continue;
336 + if ((((u_int8_t *)ri) + RINTERNAL_SIZE) > pgend)
337 + return (__db_pgfmt(env, pg));
339 M_32_SWAP(ri->pgno);
340 M_32_SWAP(ri->nrecs);
341 --- db-18.1.32/src/db/db_vrfy.c 2019-02-20 03:21:20.000000000 +0530
342 +++ db-18.1.40/src/db/db_vrfy.c 2020-05-29 23:28:22.000000000 +0530
343 @@ -381,8 +381,10 @@
344 vdp, name, 0, lp, rp, flags)) != 0) {
345 if (t_ret == DB_VERIFY_BAD)
346 isbad = 1;
347 + else {
348 + ret = t_ret;
349 + goto err;
351 - else
352 - goto err;
356 @@ -771,9 +773,10 @@
358 if ((t_ret = __memp_fget(mpf, &i,
359 vdp->thread_info, NULL, 0, &h)) != 0) {
360 + if ((dbp->type == DB_HASH ||
361 - if (dbp->type == DB_HASH ||
362 (dbp->type == DB_QUEUE &&
363 + F_ISSET(dbp, DB_AM_INMEM))) &&
364 + t_ret != DB_RUNRECOVERY) {
365 - F_ISSET(dbp, DB_AM_INMEM))) {
366 if ((t_ret =
367 __db_vrfy_getpageinfo(vdp, i, &pip)) != 0)
368 goto err1;
369 @@ -945,6 +948,8 @@
370 return (ret == 0 ? t_ret : ret);
373 + if (ret == DB_PAGE_NOTFOUND && isbad == 1)
374 + ret = 0;
375 return ((isbad == 1 && ret == 0) ? DB_VERIFY_BAD : ret);
378 @@ -1581,7 +1586,7 @@
379 if (pgno == PGNO_BASE_MD &&
380 dbtype != DB_QUEUE && meta->last_pgno != vdp->last_pgno) {
381 #ifdef HAVE_FTRUNCATE
382 + ret = DB_VERIFY_FATAL;
383 - isbad = 1;
384 EPRINT((env, DB_STR_A("0552",
385 "Page %lu: last_pgno is not correct: %lu != %lu",
386 "%lu %lu %lu"), (u_long)pgno,
387 @@ -1622,7 +1627,11 @@
389 env = dbp->env;
390 pgset = vdp->pgset;
391 + if (pgset == NULL) {
392 + EPRINT((env, DB_STR("5543",
393 + "Error, database contains no visible pages.")));
394 + return (DB_RUNRECOVERY);
396 - DB_ASSERT(env, pgset != NULL);
398 if ((ret = __db_vrfy_getpageinfo(vdp, meta, &pip)) != 0)
399 return (ret);
400 @@ -2014,7 +2023,8 @@
401 int keyflag, ret, t_ret;
403 env = dbp->env;
404 + if (!LF_ISSET(DB_SALVAGE))
405 + return (EINVAL);
406 - DB_ASSERT(env, LF_ISSET(DB_SALVAGE));
409 * !!!
410 @@ -2126,10 +2136,8 @@
411 int (*callback) __P((void *, const void *));
412 u_int32_t flags;
414 - ENV *env;
416 - env = dbp->env;
417 - DB_ASSERT(env, LF_ISSET(DB_SALVAGE));
418 + if (!LF_ISSET(DB_SALVAGE))
419 + return (EINVAL);
421 /* If we got this page in the subdb pass, we can safely skip it. */
422 if (__db_salvage_isdone(vdp, pgno))
423 @@ -2242,8 +2253,8 @@
424 ret = t_ret;
425 break;
426 case SALVAGE_OVERFLOW:
427 + EPRINT((env, DB_STR("5544", "Invalid page type to salvage.")));
428 + return (EINVAL);
429 - DB_ASSERT(env, 0); /* Shouldn't ever happen. */
430 - break;
431 case SALVAGE_HASH:
432 if ((t_ret = __ham_salvage(dbp, vdp,
433 pgno, h, handle, callback, flags)) != 0 && ret == 0)
434 @@ -2256,8 +2267,8 @@
435 * Shouldn't happen, but if it does, just do what the
436 * nice man says.
438 + EPRINT((env, DB_STR("5545", "Invalid page type to salvage.")));
439 + return (EINVAL);
440 - DB_ASSERT(env, 0);
441 - break;
443 if ((t_ret = __memp_fput(mpf,
444 vdp->thread_info, h, dbp->priority)) != 0 && ret == 0)
445 @@ -2303,8 +2314,8 @@
446 ret = t_ret;
447 break;
448 default:
449 + EPRINT((env, DB_STR("5546", "Invalid page type to salvage.")));
450 + return (EINVAL);
451 - DB_ASSERT(env, 0); /* Shouldn't ever happen. */
452 - break;
454 if ((t_ret = __memp_fput(mpf,
455 vdp->thread_info, h, dbp->priority)) != 0 && ret == 0)
456 @@ -2361,7 +2372,10 @@
458 env = dbp->env;
460 + if (himarkp == NULL) {
461 + __db_msg(env, "Page %lu index has no end.", (u_long)pgno);
462 + return (DB_VERIFY_FATAL);
464 - DB_ASSERT(env, himarkp != NULL);
465 inp = P_INP(dbp, h);
468 @@ -2783,7 +2797,11 @@
469 goto err;
470 ovfl_bufsz = bkkey->len + 1;
472 + if (subdbname == NULL) {
473 + EPRINT((env, DB_STR("5547", "Subdatabase cannot be null.")));
474 + ret = EINVAL;
475 + goto err;
477 - DB_ASSERT(env, subdbname != NULL);
478 memcpy(subdbname, bkkey->data, bkkey->len);
479 subdbname[bkkey->len] = '\0';
481 --- db-18.1.32/src/db/db_vrfyutil.c 2019-02-20 03:21:20.000000000 +0530
482 +++ db-18.1.40/src/db/db_vrfyutil.c 2020-05-29 23:28:22.000000000 +0530
483 @@ -214,7 +214,8 @@
484 if ((ret = __db_get(pgdbp,
485 vdp->thread_info, vdp->txn, &key, &data, 0)) == 0) {
486 /* Found it. */
487 + if (data.size != sizeof(VRFY_PAGEINFO))
488 + return (DB_VERIFY_FATAL);
489 - DB_ASSERT(env, data.size == sizeof(VRFY_PAGEINFO));
490 pip = data.data;
491 LIST_INSERT_HEAD(&vdp->activepips, pip, links);
492 goto found;
493 @@ -342,7 +343,8 @@
494 F_SET(&data, DB_DBT_USERMEM);
496 if ((ret = __db_get(dbp, ip, txn, &key, &data, 0)) == 0) {
497 + if (data.size != sizeof(int))
498 + return (EINVAL);
499 - DB_ASSERT(dbp->env, data.size == sizeof(int));
500 } else if (ret == DB_NOTFOUND)
501 val = 0;
502 else
503 @@ -382,7 +384,8 @@
504 F_SET(&data, DB_DBT_USERMEM);
506 if ((ret = __db_get(dbp, ip, txn, &key, &data, 0)) == 0) {
507 + if (data.size != sizeof(int))
508 + return (DB_VERIFY_FATAL);
509 - DB_ASSERT(dbp->env, data.size == sizeof(int));
510 } else if (ret != DB_NOTFOUND)
511 return (ret);
513 @@ -419,7 +422,8 @@
514 if ((ret = __dbc_get(dbc, &key, &data, DB_NEXT)) != 0)
515 return (ret);
517 + if (key.size != sizeof(db_pgno_t))
518 + return (DB_VERIFY_FATAL);
519 - DB_ASSERT(dbc->env, key.size == sizeof(db_pgno_t));
520 *pgnop = pgno;
522 return (0);
523 @@ -566,7 +570,8 @@
524 if ((ret = __dbc_get(dbc, &key, &data, DB_SET)) != 0)
525 return (ret);
527 + if (data.size != sizeof(VRFY_CHILDINFO))
528 + return (DB_VERIFY_FATAL);
529 - DB_ASSERT(dbc->env, data.size == sizeof(VRFY_CHILDINFO));
530 *cipp = (VRFY_CHILDINFO *)data.data;
532 return (0);
533 @@ -594,7 +599,8 @@
534 if ((ret = __dbc_get(dbc, &key, &data, DB_NEXT_DUP)) != 0)
535 return (ret);
537 + if (data.size != sizeof(VRFY_CHILDINFO))
538 + return (DB_VERIFY_FATAL);
539 - DB_ASSERT(dbc->env, data.size == sizeof(VRFY_CHILDINFO));
540 *cipp = (VRFY_CHILDINFO *)data.data;
542 return (0);
543 @@ -721,7 +727,8 @@
544 return (ret);
546 while ((ret = __dbc_get(*dbcp, &key, &data, DB_NEXT)) == 0) {
547 + if (data.size != sizeof(u_int32_t))
548 + return (DB_VERIFY_FATAL);
549 - DB_ASSERT(dbp->env, data.size == sizeof(u_int32_t));
550 memcpy(&pgtype, data.data, sizeof(pgtype));
552 if (skip_overflow && pgtype == SALVAGE_OVERFLOW)
553 @@ -730,8 +737,9 @@
554 if ((ret = __dbc_del(*dbcp, 0)) != 0)
555 return (ret);
556 if (pgtype != SALVAGE_IGNORE) {
557 + if (key.size != sizeof(db_pgno_t)
558 + || data.size != sizeof(u_int32_t))
559 + return (DB_VERIFY_FATAL);
560 - DB_ASSERT(dbp->env, key.size == sizeof(db_pgno_t));
561 - DB_ASSERT(dbp->env, data.size == sizeof(u_int32_t));
563 *pgnop = *(db_pgno_t *)key.data;
564 *pgtypep = *(u_int32_t *)data.data;
565 --- db-18.1.32/src/db/partition.c 2019-02-20 03:21:20.000000000 +0530
566 +++ db-18.1.40/src/db/partition.c 2020-05-29 23:28:22.000000000 +0530
567 @@ -461,9 +461,19 @@
568 } else
569 part->nparts = meta->nparts;
570 } else if (meta->nparts != 0 && part->nparts != meta->nparts) {
571 + ret = EINVAL;
572 __db_errx(env, DB_STR("0656",
573 "Number of partitions does not match."));
574 - ret = EINVAL;
575 + goto err;
577 + /*
578 + * There is no limit on the number of partitions, but I cannot imagine a real
579 + * database having more than 10000.
580 + */
581 + if (meta->nparts > 10000) {
582 + ret = EINVAL;
583 + __db_errx(env, DB_STR_A("5553",
584 + "Too many partitions %lu", "%lu"), (u_long)(meta->nparts));
585 goto err;
588 @@ -2106,10 +2116,13 @@
589 memcpy(rp->data, key->data, key->size);
590 B_TSET(rp->type, B_KEYDATA);
592 +vrfy: if ((t_ret = __db_verify(*pdbp, ip, (*pdbp)->fname,
593 + NULL, handle, callback,
594 + lp, rp, flags | DB_VERIFY_PARTITION)) != 0 && ret == 0) {
595 + ret = t_ret;
596 + if (ret == ENOENT)
597 + break;
599 -vrfy: if ((t_ret = __db_verify(*pdbp, ip, (*pdbp)->fname,
600 - NULL, handle, callback,
601 - lp, rp, flags | DB_VERIFY_PARTITION)) != 0 && ret == 0)
602 - ret = t_ret;
605 err: if (lp != NULL)
606 --- db-18.1.32/src/hash/hash_page.c 2019-02-20 03:21:20.000000000 +0530
607 +++ db-18.1.40/src/hash/hash_page.c 2020-05-29 23:28:22.000000000 +0530
608 @@ -869,7 +869,11 @@
609 /* Validate that next, prev pointers are OK */
610 n = NUM_ENT(p);
611 dbp = dbc->dbp;
612 + if (n % 2 != 0) {
613 + __db_errx(dbp->env, DB_STR_A("5549",
614 + "Odd number of entries on page: %lu", "%lu"), (u_long)(p->pgno));
615 + return (DB_VERIFY_FATAL);
617 - DB_ASSERT(dbp->env, n%2 == 0 );
619 env = dbp->env;
620 t = dbp->h_internal;
621 @@ -940,7 +944,12 @@
622 if ((ret = __db_prpage(dbp, p, DB_PR_PAGE)) != 0)
623 return (ret);
624 #endif
625 + if (res >= 0) {
626 + __db_errx(env, DB_STR_A("5550",
627 + "Odd number of entries on page: %lu", "%lu"),
628 + (u_long)p->pgno);
629 + return (DB_VERIFY_FATAL);
631 - DB_ASSERT(dbp->env, res < 0);
634 prev = curr;
635 --- db-18.1.32/src/hash/hash_verify.c 2019-02-20 03:21:20.000000000 +0530
636 +++ db-18.1.40/src/hash/hash_verify.c 2020-05-29 23:28:22.000000000 +0530
637 @@ -615,7 +615,7 @@
638 isbad = 1;
639 else
640 goto err;
645 * There may be unused hash pages corresponding to buckets
646 @@ -746,7 +746,7 @@
647 "Page %lu: impossible first page in bucket %lu", "%lu %lu"),
648 (u_long)pgno, (u_long)bucket));
649 /* Unsafe to continue. */
650 + ret = DB_VERIFY_FATAL;
651 - isbad = 1;
652 goto err;
655 @@ -776,7 +776,7 @@
656 EPRINT((env, DB_STR_A("1116",
657 "Page %lu: hash page referenced twice", "%lu"),
658 (u_long)pgno));
659 + ret = DB_VERIFY_FATAL;
660 - isbad = 1;
661 /* Unsafe to continue. */
662 goto err;
663 } else if ((ret = __db_vrfy_pgset_inc(vdp->pgset,
664 @@ -1307,7 +1307,11 @@
665 COMPQUIET(flags, 0);
666 ip = vdp->thread_info;
668 + if (pgset == NULL) {
669 + EPRINT((dbp->env, DB_STR("5548",
670 + "Error, database contains no visible pages.")));
671 + return (DB_VERIFY_FATAL);
673 - DB_ASSERT(dbp->env, pgset != NULL);
675 mpf = dbp->mpf;
676 totpgs = 0;
677 --- db-18.1.32/src/qam/qam_verify.c 2019-02-20 03:21:20.000000000 +0530
678 +++ db-18.1.40/src/qam/qam_verify.c 2020-05-29 23:28:22.000000000 +0530
679 @@ -465,7 +465,14 @@
680 /* Verify/salvage each page. */
681 if ((ret = __db_cursor(dbp, vdp->thread_info, NULL, &dbc, 0)) != 0)
682 return (ret);
683 -begin: for (; i <= stop; i++) {
684 +begin: if ((stop - i) > 100000) {
685 + EPRINT((env, DB_STR_A("5551",
686 +"Warning, many possible extends files (%lu), will take a long time to verify",
687 + "%lu"), (u_long)(stop - i)));
689 + for (; i <= stop; i++) {
690 + if (i == UINT32_MAX)
691 + break;
693 * If DB_SALVAGE is set, we inspect our database of completed
694 * pages, and skip any we've already printed in the subdb pass.