Reject empty metadata sections

Author: oschwald

Changes.md

@@ -4,6 +4,10 @@
   `sockaddr` with an unsupported address family. The function now rejects any
   family other than `AF_INET` and `AF_INET6` with
   `MMDB_INVALID_NETWORK_ADDRESS_ERROR`.
+- Fixed metadata parsing for files that end immediately after the
+  `\xAB\xCD\xEFMaxMind.com` marker. Such files are now rejected as invalid
+  metadata instead of allowing a zero-length metadata section to reach the
+  decoder.
 
 ## 1.13.3 - 2026-03-05
 

src/maxminddb.c

@@ -518,7 +518,7 @@ static const uint8_t *find_metadata(const uint8_t *file_content,
         }
     } while (NULL != tmp);
 
-    if (search_area == start) {
+    if (search_area == start || max_size <= 0) {
         return NULL;
     }
 
@@ -1431,6 +1431,13 @@ static int decode_one(const MMDB_s *const mmdb,
                       MMDB_entry_data_s *entry_data) {
     const uint8_t *mem = mmdb->data_section;
 
+    if (mmdb->data_section_size == 0) {
+        // decode_one is also called with a fake mmdb whose data_section
+        // points at the metadata; either way an empty section is invalid.
+        DEBUG_MSG("decode_one called with an empty section");
+        return MMDB_INVALID_DATA_ERROR;
+    }
+
     // We subtract rather than add as it possible that offset + 1
     // could overflow for a corrupt database while an underflow
     // from data_section_size - 1 should not be possible.

t/CMakeLists.txt

@@ -17,6 +17,7 @@ set(TEST_TARGET_NAMES
   get_value_t
   ipv4_start_cache_t
   ipv6_lookup_in_ipv4_t
+  metadata_marker_t
   metadata_pointers_t
   metadata_t
   no_map_get_value_t

t/Makefile.am

@@ -23,7 +23,8 @@ check_PROGRAMS = \
 	gai_error_t get_value_t \
 	get_value_pointer_bug_t invalid_sockaddr_t \
 	ipv4_start_cache_t ipv6_lookup_in_ipv4_t max_depth_t metadata_t \
-	metadata_pointers_t no_map_get_value_t overflow_bounds_t read_node_t \
+	metadata_marker_t metadata_pointers_t no_map_get_value_t \
+	overflow_bounds_t read_node_t \
 	threads_t version_t
 
 data_pool_t_LDFLAGS = $(AM_LDFLAGS) -lm

t/metadata_marker_t.c

@@ -0,0 +1,73 @@
+// Required for mkstemp visibility under -D_POSIX_C_SOURCE=200112L on glibc.
+#define _XOPEN_SOURCE 500
+
+#include "maxminddb_test_helper.h"
+
+#include <errno.h>
+#include <stdio.h>
+#include <string.h>
+
+#ifdef _WIN32
+    #include <io.h>
+    #define unlink _unlink
+#else
+    #include <unistd.h>
+#endif
+
+static FILE *open_temp_file(char *path, size_t path_size) {
+#ifdef _WIN32
+    errno_t err = tmpnam_s(path, path_size);
+    if (err != 0) {
+        return NULL;
+    }
+    return fopen(path, "wb");
+#else
+    snprintf(path, path_size, "./metadata-marker-XXXXXX");
+    int fd = mkstemp(path);
+    if (fd < 0) {
+        return NULL;
+    }
+    return fdopen(fd, "wb");
+#endif
+}
+
+static void test_trailing_metadata_marker(void) {
+    char temp_path[64];
+    FILE *temp = open_temp_file(temp_path, sizeof(temp_path));
+    if (!temp) {
+        BAIL_OUT("could not create temp file: %s", strerror(errno));
+    }
+
+    static const unsigned char metadata_marker[] = "\xab\xcd\xefMaxMind.com";
+    size_t expected = sizeof(metadata_marker) - 1;
+    if (fwrite(metadata_marker, 1, expected, temp) != expected) {
+        int saved_errno = errno;
+        fclose(temp);
+        unlink(temp_path);
+        BAIL_OUT("fwrite failed: %s", strerror(saved_errno));
+    }
+    if (fclose(temp) != 0) {
+        int saved_errno = errno;
+        unlink(temp_path);
+        BAIL_OUT("fclose failed: %s", strerror(saved_errno));
+    }
+
+    MMDB_s mmdb;
+    int status = MMDB_open(temp_path, MMDB_MODE_MMAP, &mmdb);
+    cmp_ok(status,
+           "==",
+           MMDB_INVALID_METADATA_ERROR,
+           "MMDB_open rejects a trailing metadata marker with no metadata");
+
+    if (status == MMDB_SUCCESS) {
+        MMDB_close(&mmdb);
+    }
+
+    unlink(temp_path);
+}
+
+int main(void) {
+    plan(NO_PLAN);
+    test_trailing_metadata_marker();
+    done_testing();
+}