From 5f94f68074b4a78483afd63c3f8a67141c9aeab8 Mon Sep 17 00:00:00 2001
From: Ibrahim Jarif <ibrahim@dgraph.io>
Date: Wed, 20 Nov 2019 22:46:51 +0530
Subject: [PATCH] Limit manifest's change set size (#1119)

This PR limits the amount of memory we allocated for reading
the manifest changes set's size. When a manifest file is corrupted,
in the worst case we might end up allocating more than 4GB.

This PR ensures we don't over-allocate the byte slice.
Fixes https://github.com/dgraph-io/badger/issues/490
---
 manifest.go | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/manifest.go b/manifest.go
index fc3ceb424..3d7faa5e9 100644
--- a/manifest.go
+++ b/manifest.go
@@ -353,6 +353,11 @@ func ReplayManifestFile(fp *os.File) (Manifest, int64, error) {
 				version, magicVersion)
 	}
 
+	stat, err := fp.Stat()
+	if err != nil {
+		return Manifest{}, 0, err
+	}
+
 	build := createManifest()
 	var offset int64
 	for {
@@ -366,6 +371,12 @@ func ReplayManifestFile(fp *os.File) (Manifest, int64, error) {
 			return Manifest{}, 0, err
 		}
 		length := y.BytesToU32(lenCrcBuf[0:4])
+		// Sanity check to ensure we don't over-allocate memory.
+		if length > uint32(stat.Size()) {
+			return Manifest{}, 0, errors.Errorf(
+				"Buffer length: %d greater than file size: %d. Manifest file might be corrupted",
+				length, stat.Size())
+		}
 		var buf = make([]byte, length)
 		if _, err := io.ReadFull(&r, buf); err != nil {
 			if err == io.EOF || err == io.ErrUnexpectedEOF {