Reject empty metadata sections

oschwald · oschwald · commit eba8bb7bcffa · 2026-05-04T16:11:02.000Z
diff --git a/Changes.md b/Changes.md
@@ -4,6 +4,10 @@
   `sockaddr` with an unsupported address family. The function now rejects any
   family other than `AF_INET` and `AF_INET6` with
   `MMDB_INVALID_NETWORK_ADDRESS_ERROR`.
+- Fixed metadata parsing for files that end immediately after the
+  `\xAB\xCD\xEFMaxMind.com` marker. Such files are now rejected as invalid
+  metadata instead of allowing a zero-length metadata section to reach the
+  decoder.
 
 ## 1.13.3 - 2026-03-05
 
diff --git a/src/maxminddb.c b/src/maxminddb.c
@@ -518,7 +518,7 @@ static const uint8_t *find_metadata(const uint8_t *file_content,
         }
     } while (NULL != tmp);
 
-    if (search_area == start) {
+    if (search_area == start || max_size <= 0) {
         return NULL;
     }
 
@@ -1431,6 +1431,13 @@ static int decode_one(const MMDB_s *const mmdb,
                       MMDB_entry_data_s *entry_data) {
     const uint8_t *mem = mmdb->data_section;
 
+    if (mmdb->data_section_size == 0) {
+        // decode_one is also called with a fake mmdb whose data_section
+        // points at the metadata; either way an empty section is invalid.
+        DEBUG_MSG("decode_one called with an empty section");
+        return MMDB_INVALID_DATA_ERROR;
+    }
+
     // We subtract rather than add as it possible that offset + 1
     // could overflow for a corrupt database while an underflow
     // from data_section_size - 1 should not be possible.
diff --git a/t/CMakeLists.txt b/t/CMakeLists.txt
@@ -17,6 +17,7 @@ set(TEST_TARGET_NAMES
   get_value_t
   ipv4_start_cache_t
   ipv6_lookup_in_ipv4_t
+  metadata_marker_t
   metadata_pointers_t
   metadata_t
   no_map_get_value_t
diff --git a/t/Makefile.am b/t/Makefile.am
@@ -23,7 +23,8 @@ check_PROGRAMS = \
 	gai_error_t get_value_t \
 	get_value_pointer_bug_t invalid_sockaddr_t \
 	ipv4_start_cache_t ipv6_lookup_in_ipv4_t max_depth_t metadata_t \
-	metadata_pointers_t no_map_get_value_t overflow_bounds_t read_node_t \
+	metadata_marker_t metadata_pointers_t no_map_get_value_t \
+	overflow_bounds_t read_node_t \
 	threads_t version_t
 
 data_pool_t_LDFLAGS = $(AM_LDFLAGS) -lm
diff --git a/t/maxmind-db b/t/maxmind-db
@@ -1 +1 @@
-Subproject commit 819f226fbf8290c2b171ac077e6e050618dd3574
+Subproject commit 9ebfd5deeeaf6b6c3dde31f93f10c19e3f3758c1
diff --git a/t/metadata_marker_t.c b/t/metadata_marker_t.c
@@ -0,0 +1,24 @@
+#include "maxminddb_test_helper.h"
+
+static void test_trailing_metadata_marker(void) {
+    char *db_file =
+        bad_database_path("libmaxminddb-metadata-marker-only.mmdb");
+    MMDB_s mmdb;
+    int status = MMDB_open(db_file, MMDB_MODE_MMAP, &mmdb);
+    cmp_ok(status,
+           "==",
+           MMDB_INVALID_METADATA_ERROR,
+           "MMDB_open rejects a file containing only the metadata marker");
+
+    if (status == MMDB_SUCCESS) {
+        MMDB_close(&mmdb);
+    }
+
+    free(db_file);
+}
+
+int main(void) {
+    plan(NO_PLAN);
+    test_trailing_metadata_marker();
+    done_testing();
+}
