Hi,

I was working on the lmdb-go bindings for LMDB, using the 0.9.19 release and believe I have found a bug with MDB_MULTIPLE. The bug still exists on the latest commit of branch mdb.RE/0.9, a87c8fd8c9a4ce49be18a642e3572059f39ed1cf, I'm not sure if this bug is part of what held the 0.9.20 release back. But I wanted to check here.

I noticed that, for in a corner case of the mdb_cursor_put function when MDB_MULTIPLE is provided, if the number of items is specified to be zero this may lead to garbage data being written or a segfault. My intuition would be that this is essentially a noop, but I also would have thought EINVAL would be an acceptable error code for this strange use of mdb_cursor_put. The actual behavior of LMDB does not seem acceptable.

I've included an barebones example which I have written in C to demonstrate the problem. Please let me know what you think.

- Bryan

Here is my program's output

$ ./mdb_putmultiple_empty -V
LMDB 0.9.20: (January 11, 2017)
$ ./mdb_putmultiple_empty -n putmultiple_empty.mdb && echo ok
Segmentation fault (core dumped)

And, here is the program source

/* mdb_putmultiple_empty.c - test of MDB_PUT_MULTIPLE given zero items*/
#ifdef _WIN32
#include <windows.h>
#endif
#include <stdio.h>
#include <stdlib.h>
#include <signal.h>
#include "lmdb.h"

static void
sighandle(int sig)
{
}

int main(int argc,char * argv[])
{
int rc;
MDB_env *env;
    MDB_txn *txn;
    MDB_cursor *cursor;
    MDB_dbi dbi;
    MDB_val vals[3];
const char *progname = argv[0], *act;
unsigned flags = 0;

for (; argc > 1 && argv[1][0] == '-'; argc--, argv++) {
if (argv[1][1] == 'n' && argv[1][2] == '\0')
flags |= MDB_NOSUBDIR;
else if (argv[1][1] == 'V' && argv[1][2] == '\0') {
printf("%s\n", MDB_VERSION_STRING);
exit(0);
} else
argc = 0;
}

if (argc<2 || argc>3) {
fprintf(stderr, "usage: %s [-V] [-n] srcpath\n", progname);
exit(EXIT_FAILURE);
}

#ifdef SIGPIPE
signal(SIGPIPE, sighandle);
#endif
#ifdef SIGHUP
signal(SIGHUP, sighandle);
#endif
signal(SIGINT, sighandle);
signal(SIGTERM, sighandle);

act = "creating environment";
rc = mdb_env_create(&env);
    if (rc == MDB_SUCCESS) {
   act = "setting maxdbs";
        rc = mdb_env_set_maxdbs(env, 1);
    }
if (rc == MDB_SUCCESS) {
   act = "opening environment";
rc = mdb_env_open(env, argv[1], flags, 0600);
}

if (rc == MDB_SUCCESS) {
   act = "beginning txn";
        rc = mdb_txn_begin(env, 0,0, &txn);
}
    if (rc == MDB_SUCCESS) {
   act = "opening dbi";
        rc = mdb_dbi_open(txn, "db", MDB_CREATE|MDB_DUPSORT|MDB_DUPFIXED, &dbi);
    } 
    if (rc == MDB_SUCCESS) {
   act = "opening cursor";
        rc = mdb_cursor_open(txn, dbi, &cursor);
    }
    if (rc == MDB_SUCCESS) {
   act = "put multiple with zero items but non-empty stride";
        vals[0].mv_size = 1;
        vals[0].mv_data = "x";

        vals[1].mv_size = 2;
        vals[1].mv_data = 0;
        vals[2].mv_size = 0;
        vals[2].mv_data = 0;

        rc = mdb_cursor_put(cursor, &vals[0], &vals[1], MDB_MULTIPLE);
    }
    if (rc == MDB_SUCCESS) {
   act = "put multiple with zero items but non-empty stride";
        vals[0].mv_size = 0;
        vals[0].mv_data = 0;
        vals[1].mv_size = 0;
        vals[1].mv_data = 0;
        rc = mdb_cursor_get(cursor, &vals[0], &vals[1], MDB_FIRST);
    }
    if (rc == MDB_SUCCESS) {
        fprintf(stderr, "FIRST: %.*s %.*s",
                (int)vals[0].mv_size, (char*)vals[0].mv_data, (int)vals[1].mv_size, (char*)vals[1].mv_data);
    }

if (rc)
fprintf(stderr, "%s: %s failed, error %d (%s)\n",
progname, act, rc, mdb_strerror(rc));
    mdb_txn_abort(txn);
mdb_env_close(env);

return rc ? EXIT_FAILURE : EXIT_SUCCESS;
}