Harden libmaxminddb against crafted/malformed databases

[oschwald]

Summary

Addresses ENG-4239. Nine targeted fixes for integer overflows, NULL dereferences, memory amplification, and undefined behavior found during a security audit of libmaxminddb.

Library fixes (src/maxminddb.c):

• Validate array/map size in get_entry_data_list against remaining data (memory amplification DoS)
• Replace GetFileSize with GetFileSizeEx on Windows to handle >4GB files correctly
• Fix integer overflow in MMDB_read_node/find_ipv4_start_node pointer arithmetic (cast to uint64_t)
• Fix integer overflow in find_address_in_search_tree bounds check

mmdblookup fixes (bin/mmdblookup.c):

• Fix printf format specifiers (%i→PRIu32, %llu→PRIu64) in metadata dump
• Fix gmtime NULL dereference on out-of-range build_epoch
• Fix print_indentation stack overflow on negative indent

Defensive hardening:

• NULL file_content after munmap to prevent double-unmap
• Initialize *mmdb_error in MMDB_lookup_string on getaddrinfo failure

Each fix has a dedicated test in t/.

Test plan

• make check — all 27 tests pass
• Review each commit individually (one logical fix per commit)
• Verify Windows build compiles (the GetFileSizeEx and error code changes are #ifdef-guarded)

🤖 Generated with Claude Code

[gemini-code-assist]

Summary of Changes

Hello @oschwald, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the security and stability of the libmaxminddb library and its associated mmdblookup utility. It addresses several critical issues, including potential denial-of-service vectors, memory corruption, and undefined behavior, by implementing robust validation checks and correcting arithmetic operations. The changes ensure that the library can gracefully handle malformed database files and edge cases, making it more reliable for production environments.

Highlights

• Security Hardening: Implemented nine targeted fixes to address potential security vulnerabilities such as integer overflows, NULL dereferences, memory amplification, and undefined behavior, identified during a security audit.
• Robustness Improvements: Enhanced the library's resilience against malformed or crafted MaxMind DB files by validating array/map sizes, handling large file sizes on Windows, and preventing stack overflows from deeply nested data structures.
• API Stability: Improved the mmdblookup utility by fixing printf format specifier mismatches, preventing gmtime NULL dereferences, and ensuring mmdb_error is always initialized on getaddrinfo failures.
• Comprehensive Testing: Added dedicated test cases for each fix, covering scenarios like bad data sizes, out-of-range build epochs, negative indentation, double-close operations, getaddrinfo failures, maximum recursion depth, and overflow bounds.

Changelog

• Changes.md
  • Updated with a comprehensive list of security and stability fixes for the 1.13.0 release.
• bin/mmdblookup.c
  • Included <inttypes.h> for portable integer types.
  • Adjusted alloca size for the program name buffer on Windows to prevent an off-by-one error.
  • Updated printf format specifiers in metadata dump to use PRIu32, PRIu16, and PRIu64 for correct type matching.
  • Added a check for gmtime() return value to prevent NULL dereference when displaying metadata for an out-of-range build_epoch.
• src/maxminddb.c
  • Modified skip_map_or_array function signature to include a depth parameter for recursion tracking.
  • Changed the type of size from DWORD to ssize_t in map_file for broader compatibility.
  • Replaced GetFileSize with GetFileSizeEx and added size validation in map_file to correctly handle files larger than 4GB on Windows.
  • Ensured *mmdb_error is initialized to MMDB_SUCCESS when getaddrinfo fails in MMDB_lookup_string.
  • Cast node_count to uint64_t in find_address_in_search_tree bounds check to prevent integer overflow.
  • Cast node_value to uint64_t in find_ipv4_start_node pointer arithmetic to prevent integer overflow.
  • Corrected the bounds check in MMDB_read_node from node_number > node_count to node_number >= node_count and cast node_number to uint64_t.
  • Added a recursion depth limit to skip_map_or_array to prevent stack overflows from deeply nested data structures.
  • Implemented size validation for array and map entries in get_entry_data_list to prevent memory amplification attacks.
  • Set mmdb->file_content to NULL after munmap in free_mmdb_struct to prevent double-unmap issues.
  • Initialized mmdb->metadata.languages.count and mmdb->metadata.description.count to 0 in their respective free functions.
  • Clamped negative indent values to 0 in print_indentation to prevent stack buffer overflows.
• t/Makefile.am
  • Added new test programs: bad_data_size_t, bad_epoch_t, bad_indent_t, double_close_t, gai_error_t, max_depth_t, and overflow_bounds_t.
• t/bad_data_size_t.c
  • Added a new test file to verify that crafted MMDB files with arrays or maps claiming large sizes but containing insufficient data are rejected.
• t/bad_epoch_t.c
  • Added a new test file to ensure the library handles MMDB files with out-of-range build_epoch values without crashing.
• t/bad_indent_t.c
  • Added a new test file to confirm that print_indentation correctly handles negative indent values by clamping them to zero.
• t/double_close_t.c
  • Added a new test file to verify that calling MMDB_close multiple times on the same MMDB_s struct does not lead to crashes or undefined behavior.
• t/gai_error_t.c
  • Added a new test file to ensure mmdb_error is properly set to MMDB_SUCCESS when getaddrinfo fails in MMDB_lookup_string.
• t/max_depth_t.c
  • Added a new test file to validate the recursion depth limit for deeply nested maps and arrays, preventing stack overflows.
• t/overflow_bounds_t.c
  • Added a new test file to confirm that 64-bit arithmetic is correctly used in bounds checks and that normal lookups continue to function as expected.
• t/read_node_t.c
  • Added a new test function run_read_node_invalid_node_number_tests to verify that MMDB_read_node correctly rejects invalid node numbers.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request significantly hardens libmaxminddb against various forms of crafted or malformed databases, addressing potential security vulnerabilities such as integer overflows, NULL dereferences, memory amplification, and undefined behavior. The changes include robust validation checks, correct handling of large file sizes on Windows, proper type casting for arithmetic operations, and improved error handling. The addition of new test cases for these specific issues is also a great step towards ensuring the library's stability and security. Overall, these are crucial improvements for the library's resilience.

[horgh]

  - Consistency with record_type() (line 1080): The equivalent check there uses subtraction (record - node_count < mmdb->data_section_size) instead of addition, which naturally
  avoids overflow since record is uint64_t. The two functions use different idioms for the same logical check — not a bug, but worth being aware of for future maintainability.

Not sure if we want to change anything, but it has a minor point.