← All libraries
Database · C
How to fuzz LMDB
LMDB maps the database file directly into memory — a corrupt file can write anywhere.
LMDB uses memory-mapped I/O to access B-tree pages directly, meaning a crafted database file can trick page-pointer arithmetic into writing anywhere in the process address space. Its use in OpenLDAP, BitTorrent clients, and many embedded stores makes it a high-value fuzzing target.
Common bug classes
- •Heap buffer overflow in B-tree leaf page key comparison
- •Integer overflow in page number to file offset conversion
- •Out-of-bounds read in overflow page chain traversal
- •Use-after-free in cursor positioning after transaction abort
- •Null dereference on zero-size database environment open
Recommended setup
Fuzzers
- → AFL++
- → libFuzzer
Sanitizers
- → ASan
- → UBSan
Harness scaffold
#include <stdint.h>
#include <stddef.h>
#include <stdlib.h>
#include <stdio.h>
#include <lmdb.h>
int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
/* Write fuzz data as a file and attempt to open as LMDB env */
char path[] = "/tmp/fuzz_lmdb_XXXXXX";
int fd = mkstemp(path);
if (fd < 0) return 0;
write(fd, data, size);
close(fd);
MDB_env *env;
if (mdb_env_create(&env) == 0) {
mdb_env_set_mapsize(env, 1UL << 20);
mdb_env_open(env, path, MDB_RDONLY, 0600);
mdb_env_close(env);
}
unlink(path);
return 0;
}Save this as fuzz_target.cc, build with your compiler + sanitizer flags, and you have a working starting point.
Push the harness above + a Dockerfile. First month 50% off.