From bb2dcd2457bb8826006f7f70f7c03389dea1414c Mon Sep 17 00:00:00 2001
From: Dhruba Borthakur <dhruba@fb.com>
Date: Fri, 21 Sep 2012 10:47:08 -0700
Subject: [PATCH] Segfault in DoCompactionWork caused by buffer overflow

Summary:
The code was allocating 200 bytes on the stack but it
writes 256 bytes into the array.

x8a8ea5 std::_Rb_tree<>::erase()
    @     0x7f134bee7eb0 (unknown)
    @           0x8a8ea5 std::_Rb_tree<>::erase()
    @           0x8a35d6 leveldb::DBImpl::CleanupCompaction()
    @           0x8a7810 leveldb::DBImpl::BackgroundCompaction()
    @           0x8a804d leveldb::DBImpl::BackgroundCall()
    @           0x8c4eff leveldb::(anonymous namespace)::PosixEnv::BGThreadWrapper()
    @     0x7f134b3c010d start_thread
    @     0x7f134bf9f10d clone

Test Plan: run db_bench with overwrite option

Reviewers: heyongqiang

Reviewed By: heyongqiang

Differential Revision: https://reviews.facebook.net/D5595
---
 db/db_impl.cc     | 4 ++--
 db/version_set.cc | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/db/db_impl.cc b/db/db_impl.cc
index 5a4a0ab60..923abd5db 100644
--- a/db/db_impl.cc
+++ b/db/db_impl.cc
@@ -948,8 +948,8 @@ Status DBImpl::DoCompactionWork(CompactionState* compact) {
       compact->compaction->level(),
       compact->compaction->num_input_files(1),
       compact->compaction->level() + 1);
-  char scratch[200];
-  compact->compaction->Summary(scratch, 256);
+  char scratch[256];
+  compact->compaction->Summary(scratch, sizeof(scratch));
   Log(options_.info_log, "Compaction start summary: %s\n", scratch);
 
   assert(versions_->NumLevelFiles(compact->compaction->level()) > 0);
diff --git a/db/version_set.cc b/db/version_set.cc
index 1fcf831c8..141036536 100644
--- a/db/version_set.cc
+++ b/db/version_set.cc
@@ -1620,10 +1620,10 @@ void Compaction::Summary(char* output, int len) {
     return;
 
   char level_low_summary[100];
-  InputSummary(inputs_[0], level_low_summary, 100);
+  InputSummary(inputs_[0], level_low_summary, sizeof(level_low_summary));
   char level_up_summary[100];
   if (inputs_[1].size()) {
-    InputSummary(inputs_[1], level_up_summary, 100);
+    InputSummary(inputs_[1], level_up_summary, sizeof(level_up_summary));
   } else {
     level_up_summary[0] = '\0';
   }