Validate array/map size in get_entry_data_list against remaining data

A crafted database could claim millions of array/map elements while
only having a few bytes of data, causing disproportionate memory
allocation (~40x amplification). Now validate that the claimed element
count does not exceed the remaining data section bytes before entering
the allocation loop.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: oschwald

Changes.md

@@ -1,5 +1,10 @@
 ## 1.13.0
 
+* `MMDB_get_entry_data_list()` now validates that the claimed array/map
+  size is plausible given the remaining bytes in the data section. A
+  crafted database could previously claim millions of array elements
+  while only having a few bytes of data, causing disproportionate memory
+  allocation (memory amplification DoS).
 * On Windows, `GetFileSize()` was replaced with `GetFileSizeEx()` to
   correctly handle files larger than 4GB. The previous code passed
   `NULL` for the high DWORD, discarding the upper 32 bits of the file

src/maxminddb.c

@@ -1724,6 +1724,10 @@ static int get_entry_data_list(const MMDB_s *const mmdb,
         case MMDB_DATA_TYPE_ARRAY: {
             uint32_t array_size = entry_data_list->entry_data.data_size;
             uint32_t array_offset = entry_data_list->entry_data.offset_to_next;
+            if (array_offset >= mmdb->data_section_size ||
+                array_size > mmdb->data_section_size - array_offset) {
+                return MMDB_INVALID_DATA_ERROR;
+            }
             while (array_size-- > 0) {
                 MMDB_entry_data_list_s *entry_data_list_to =
                     data_pool_alloc(pool);
@@ -1747,6 +1751,11 @@ static int get_entry_data_list(const MMDB_s *const mmdb,
             uint32_t size = entry_data_list->entry_data.data_size;
 
             offset = entry_data_list->entry_data.offset_to_next;
+            /* Each map entry needs at least a key and a value (1 byte each). */
+            if (offset >= mmdb->data_section_size ||
+                size > (mmdb->data_section_size - offset) / 2) {
+                return MMDB_INVALID_DATA_ERROR;
+            }
             while (size-- > 0) {
                 MMDB_entry_data_list_s *list_key = data_pool_alloc(pool);
                 if (!list_key) {

t/Makefile.am

@@ -16,8 +16,8 @@ EXTRA_DIST = compile_c++_t.pl external_symbols_t.pl  mmdblookup_t.pl \
 	     libtap/tap.c libtap/tap.h maxmind-db
 
 check_PROGRAMS = \
-	bad_pointers_t bad_databases_t bad_epoch_t bad_indent_t basic_lookup_t \
-	data_entry_list_t \
+	bad_pointers_t bad_databases_t bad_data_size_t bad_epoch_t bad_indent_t \
+	basic_lookup_t data_entry_list_t \
     data-pool-t data_types_t double_close_t dump_t gai_error_t get_value_t \
 	get_value_pointer_bug_t \
 	ipv4_start_cache_t ipv6_lookup_in_ipv4_t max_depth_t metadata_t \

t/bad_data_size_t.c

@@ -0,0 +1,349 @@
+#include "maxminddb_test_helper.h"
+#include <stdlib.h>
+
+/* MMDB binary format constants */
+#define METADATA_MARKER "\xab\xcd\xefMaxMind.com"
+#define METADATA_MARKER_LEN 14
+#define DATA_SEPARATOR_SIZE 16
+
+static int write_map(uint8_t *buf, uint32_t size) {
+    buf[0] = (7 << 5) | (size & 0x1f);
+    return 1;
+}
+
+static int write_string(uint8_t *buf, const char *str, uint32_t len) {
+    buf[0] = (2 << 5) | (len & 0x1f);
+    memcpy(buf + 1, str, len);
+    return 1 + len;
+}
+
+static int write_uint16(uint8_t *buf, uint16_t value) {
+    buf[0] = (5 << 5) | 2;
+    buf[1] = (value >> 8) & 0xff;
+    buf[2] = value & 0xff;
+    return 3;
+}
+
+static int write_uint32(uint8_t *buf, uint32_t value) {
+    buf[0] = (6 << 5) | 4;
+    buf[1] = (value >> 24) & 0xff;
+    buf[2] = (value >> 16) & 0xff;
+    buf[3] = (value >> 8) & 0xff;
+    buf[4] = value & 0xff;
+    return 5;
+}
+
+static int write_uint64(uint8_t *buf, uint64_t value) {
+    buf[0] = (0 << 5) | 8;
+    buf[1] = 2; /* extended type: 7 + 2 = 9 (uint64) */
+    buf[2] = (value >> 56) & 0xff;
+    buf[3] = (value >> 48) & 0xff;
+    buf[4] = (value >> 40) & 0xff;
+    buf[5] = (value >> 32) & 0xff;
+    buf[6] = (value >> 24) & 0xff;
+    buf[7] = (value >> 16) & 0xff;
+    buf[8] = (value >> 8) & 0xff;
+    buf[9] = value & 0xff;
+    return 10;
+}
+
+static int write_meta_key(uint8_t *buf, const char *key) {
+    return write_string(buf, key, strlen(key));
+}
+
+/*
+ * Write a map control byte with a large size using case-31 encoding.
+ * Type 7 (map) fits in the base types: control byte = (7 << 5) | size_marker.
+ * For case-31 size encoding: control byte size bits = 31,
+ * then 3 bytes for (size - 65821).
+ */
+static int write_large_map(uint8_t *buf, uint32_t size) {
+    uint32_t adjusted = size - 65821;
+    buf[0] = (7 << 5) | 31; /* type 7 (map), size = case 31 */
+    buf[1] = (adjusted >> 16) & 0xff;
+    buf[2] = (adjusted >> 8) & 0xff;
+    buf[3] = adjusted & 0xff;
+    return 4;
+}
+
+/*
+ * Write an array control byte with a large size using case-31 encoding.
+ * Type 11 (array) is extended: control byte = (0 << 5) | size_marker,
+ * followed by extended type byte 4.
+ * For case-31 size encoding: control byte size bits = 31,
+ * then 3 bytes for (size - 65821).
+ */
+static int write_large_array(uint8_t *buf, uint32_t size) {
+    uint32_t adjusted = size - 65821;
+    buf[0] = (0 << 5) | 31; /* extended type, size = case 31 */
+    buf[1] = 4;              /* extended type: 7 + 4 = 11 (array) */
+    buf[2] = (adjusted >> 16) & 0xff;
+    buf[3] = (adjusted >> 8) & 0xff;
+    buf[4] = adjusted & 0xff;
+    return 5;
+}
+
+/*
+ * Create a crafted MMDB with an array claiming 1,000,000 elements but
+ * only a few bytes of actual data.
+ */
+static void create_bad_data_size_db(const char *path) {
+    uint32_t node_count = 1;
+    uint32_t record_size = 24;
+    uint32_t record_value = node_count + 16;
+
+    /* The data section needs enough bytes for the array header + a few
+     * elements but NOT enough for 1M elements. */
+    size_t data_buf_size = 64;
+    size_t metadata_buf_size = 512;
+    size_t search_tree_size = 6;
+    size_t total_size = search_tree_size + DATA_SEPARATOR_SIZE + data_buf_size +
+                        METADATA_MARKER_LEN + metadata_buf_size;
+
+    uint8_t *file = calloc(1, total_size);
+    if (!file) {
+        BAIL_OUT("calloc failed");
+    }
+
+    size_t pos = 0;
+
+    /* Search tree: 1 node, 24-bit records, both pointing to data */
+    file[pos++] = (record_value >> 16) & 0xff;
+    file[pos++] = (record_value >> 8) & 0xff;
+    file[pos++] = record_value & 0xff;
+    file[pos++] = (record_value >> 16) & 0xff;
+    file[pos++] = (record_value >> 8) & 0xff;
+    file[pos++] = record_value & 0xff;
+
+    /* 16-byte null separator */
+    memset(file + pos, 0, DATA_SEPARATOR_SIZE);
+    pos += DATA_SEPARATOR_SIZE;
+
+    /* Data section: array claiming 1,000,000 elements */
+    pos += write_large_array(file + pos, 1000000);
+
+    /* Only write a few bytes of actual data (way less than 1M entries) */
+    pos += write_string(file + pos, "x", 1);
+    pos += write_string(file + pos, "y", 1);
+
+    /* Pad to data_buf_size */
+    size_t data_end = search_tree_size + DATA_SEPARATOR_SIZE + data_buf_size;
+    if (pos < data_end) {
+        pos = data_end;
+    }
+
+    /* Metadata marker */
+    memcpy(file + pos, METADATA_MARKER, METADATA_MARKER_LEN);
+    pos += METADATA_MARKER_LEN;
+
+    /* Metadata map */
+    pos += write_map(file + pos, 9);
+
+    pos += write_meta_key(file + pos, "binary_format_major_version");
+    pos += write_uint16(file + pos, 2);
+
+    pos += write_meta_key(file + pos, "binary_format_minor_version");
+    pos += write_uint16(file + pos, 0);
+
+    pos += write_meta_key(file + pos, "build_epoch");
+    pos += write_uint64(file + pos, 1000000000ULL);
+
+    pos += write_meta_key(file + pos, "database_type");
+    pos += write_string(file + pos, "Test", 4);
+
+    pos += write_meta_key(file + pos, "description");
+    pos += write_map(file + pos, 0);
+
+    pos += write_meta_key(file + pos, "ip_version");
+    pos += write_uint16(file + pos, 4);
+
+    pos += write_meta_key(file + pos, "languages");
+    file[pos++] = (0 << 5) | 0;
+    file[pos++] = 4; /* extended type: 7 + 4 = 11 (array) */
+
+    pos += write_meta_key(file + pos, "node_count");
+    pos += write_uint32(file + pos, node_count);
+
+    pos += write_meta_key(file + pos, "record_size");
+    pos += write_uint16(file + pos, record_size);
+
+    FILE *f = fopen(path, "wb");
+    if (!f) {
+        free(file);
+        BAIL_OUT("fopen failed");
+    }
+    fwrite(file, 1, pos, f);
+    fclose(f);
+    free(file);
+}
+
+void test_bad_data_size_rejected(void) {
+    const char *path = "/tmp/test_bad_data_size.mmdb";
+    create_bad_data_size_db(path);
+
+    MMDB_s mmdb;
+    int status = MMDB_open(path, MMDB_MODE_MMAP, &mmdb);
+    cmp_ok(status, "==", MMDB_SUCCESS, "opened bad-data-size MMDB");
+
+    if (status != MMDB_SUCCESS) {
+        diag("MMDB_open failed: %s", MMDB_strerror(status));
+        remove(path);
+        return;
+    }
+
+    int gai_error, mmdb_error;
+    MMDB_lookup_result_s result =
+        MMDB_lookup_string(&mmdb, "1.2.3.4", &gai_error, &mmdb_error);
+
+    cmp_ok(mmdb_error, "==", MMDB_SUCCESS, "lookup succeeded");
+    ok(result.found_entry, "entry found");
+
+    if (result.found_entry) {
+        MMDB_entry_data_list_s *entry_data_list = NULL;
+        status = MMDB_get_entry_data_list(&result.entry, &entry_data_list);
+        cmp_ok(status,
+               "==",
+               MMDB_INVALID_DATA_ERROR,
+               "MMDB_get_entry_data_list returns INVALID_DATA_ERROR "
+               "for array with size exceeding remaining data");
+        MMDB_free_entry_data_list(entry_data_list);
+    }
+
+    MMDB_close(&mmdb);
+    remove(path);
+}
+
+/*
+ * Create a crafted MMDB with a map claiming 1,000,000 entries but
+ * only a few bytes of actual data.
+ */
+static void create_bad_map_size_db(const char *path) {
+    uint32_t node_count = 1;
+    uint32_t record_size = 24;
+    uint32_t record_value = node_count + 16;
+
+    size_t data_buf_size = 64;
+    size_t metadata_buf_size = 512;
+    size_t search_tree_size = 6;
+    size_t total_size = search_tree_size + DATA_SEPARATOR_SIZE + data_buf_size +
+                        METADATA_MARKER_LEN + metadata_buf_size;
+
+    uint8_t *file = calloc(1, total_size);
+    if (!file) {
+        BAIL_OUT("calloc failed");
+    }
+
+    size_t pos = 0;
+
+    /* Search tree: 1 node, 24-bit records, both pointing to data */
+    file[pos++] = (record_value >> 16) & 0xff;
+    file[pos++] = (record_value >> 8) & 0xff;
+    file[pos++] = record_value & 0xff;
+    file[pos++] = (record_value >> 16) & 0xff;
+    file[pos++] = (record_value >> 8) & 0xff;
+    file[pos++] = record_value & 0xff;
+
+    /* 16-byte null separator */
+    memset(file + pos, 0, DATA_SEPARATOR_SIZE);
+    pos += DATA_SEPARATOR_SIZE;
+
+    /* Data section: map claiming 1,000,000 entries */
+    pos += write_large_map(file + pos, 1000000);
+
+    /* Only write a couple of key-value pairs (way less than 1M entries) */
+    pos += write_string(file + pos, "k", 1);
+    pos += write_string(file + pos, "v", 1);
+
+    /* Pad to data_buf_size */
+    size_t data_end = search_tree_size + DATA_SEPARATOR_SIZE + data_buf_size;
+    if (pos < data_end) {
+        pos = data_end;
+    }
+
+    /* Metadata marker */
+    memcpy(file + pos, METADATA_MARKER, METADATA_MARKER_LEN);
+    pos += METADATA_MARKER_LEN;
+
+    /* Metadata map */
+    pos += write_map(file + pos, 9);
+
+    pos += write_meta_key(file + pos, "binary_format_major_version");
+    pos += write_uint16(file + pos, 2);
+
+    pos += write_meta_key(file + pos, "binary_format_minor_version");
+    pos += write_uint16(file + pos, 0);
+
+    pos += write_meta_key(file + pos, "build_epoch");
+    pos += write_uint64(file + pos, 1000000000ULL);
+
+    pos += write_meta_key(file + pos, "database_type");
+    pos += write_string(file + pos, "Test", 4);
+
+    pos += write_meta_key(file + pos, "description");
+    pos += write_map(file + pos, 0);
+
+    pos += write_meta_key(file + pos, "ip_version");
+    pos += write_uint16(file + pos, 4);
+
+    pos += write_meta_key(file + pos, "languages");
+    file[pos++] = (0 << 5) | 0;
+    file[pos++] = 4; /* extended type: 7 + 4 = 11 (array) */
+
+    pos += write_meta_key(file + pos, "node_count");
+    pos += write_uint32(file + pos, node_count);
+
+    pos += write_meta_key(file + pos, "record_size");
+    pos += write_uint16(file + pos, record_size);
+
+    FILE *f = fopen(path, "wb");
+    if (!f) {
+        free(file);
+        BAIL_OUT("fopen failed");
+    }
+    fwrite(file, 1, pos, f);
+    fclose(f);
+    free(file);
+}
+
+void test_bad_map_size_rejected(void) {
+    const char *path = "/tmp/test_bad_map_size.mmdb";
+    create_bad_map_size_db(path);
+
+    MMDB_s mmdb;
+    int status = MMDB_open(path, MMDB_MODE_MMAP, &mmdb);
+    cmp_ok(status, "==", MMDB_SUCCESS, "opened bad-map-size MMDB");
+
+    if (status != MMDB_SUCCESS) {
+        diag("MMDB_open failed: %s", MMDB_strerror(status));
+        remove(path);
+        return;
+    }
+
+    int gai_error, mmdb_error;
+    MMDB_lookup_result_s result =
+        MMDB_lookup_string(&mmdb, "1.2.3.4", &gai_error, &mmdb_error);
+
+    cmp_ok(mmdb_error, "==", MMDB_SUCCESS, "lookup succeeded");
+    ok(result.found_entry, "entry found");
+
+    if (result.found_entry) {
+        MMDB_entry_data_list_s *entry_data_list = NULL;
+        status = MMDB_get_entry_data_list(&result.entry, &entry_data_list);
+        cmp_ok(status,
+               "==",
+               MMDB_INVALID_DATA_ERROR,
+               "MMDB_get_entry_data_list returns INVALID_DATA_ERROR "
+               "for map with size exceeding remaining data");
+        MMDB_free_entry_data_list(entry_data_list);
+    }
+
+    MMDB_close(&mmdb);
+    remove(path);
+}
+
+int main(void) {
+    plan(NO_PLAN);
+    test_bad_data_size_rejected();
+    test_bad_map_size_rejected();
+    done_testing();
+}