ITS#8722 fix FIRST_DUP/LAST_DUP cursor bounds check

diff --git a/libraries/liblmdb/mdb.c b/libraries/liblmdb/mdb.c
index 1eebb153f226c18d73902fe21abb107774e24541..9c0b3ca45015c8cb7fdc259076407d85c77f2be5 100644 (file)
--- a/libraries/liblmdb/mdb.c
+++ b/libraries/liblmdb/mdb.c
@@ -7799,6 +7799,11 @@ fetchm:
                        rc = MDB_INCOMPATIBLE;
                        break;
                }
+               if (mc->mc_ki[mc->mc_top] >= NUMKEYS(mc->mc_pg[mc->mc_top])) {
+                       mc->mc_ki[mc->mc_top] = NUMKEYS(mc->mc_pg[mc->mc_top]);
+                       rc = MDB_NOTFOUND;
+                       break;
+               }
                {
                        MDB_node *leaf = NODEPTR(mc->mc_pg[mc->mc_top], mc->mc_ki[mc->mc_top]);
                        if (!F_ISSET(leaf->mn_flags, F_DUPDATA)) {
@@ -8448,6 +8453,7 @@ mdb_cursor_del(MDB_cursor *mc, unsigned int flags)
                                                if (!(m2->mc_flags & C_INITIALIZED)) continue;
                                                if (m2->mc_pg[mc->mc_top] == mp) {
                                                        MDB_node *n2 = leaf;
+                                                       if (m2->mc_ki[mc->mc_top] >= NUMKEYS(mp)) continue;
                                                        if (m2->mc_ki[mc->mc_top] != mc->mc_ki[mc->mc_top]) {
                                                                n2 = NODEPTR(mp, m2->mc_ki[mc->mc_top]);
                                                                if (n2->mn_flags & F_SUBDATA) continue;