From 442d85730e5f6152d3bd0f1c459de83c93d58f9d Mon Sep 17 00:00:00 2001
From: Andrey Kravchenko <xabbl4@gmail.com>
Date: Mon, 8 Jun 2026 16:48:49 +0300
Subject: [PATCH 1/2] Fix server crash when read a malformed replication
 segment

---
 src/jrd/replication/Applier.cpp | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/src/jrd/replication/Applier.cpp b/src/jrd/replication/Applier.cpp
index 35efae0791b..1439722272f 100644
--- a/src/jrd/replication/Applier.cpp
+++ b/src/jrd/replication/Applier.cpp
@@ -127,13 +127,21 @@ namespace
 
 		const string& getAtomString()
 		{
-			const auto pos = getInt32();
+			const ULONG pos = static_cast<ULONG>(getInt32());
+
+			if (pos >= m_atoms.getCount())
+				malformed();
+
 			return m_atoms[pos];
 		}
 
 		const MetaString getAtomMetaName()
 		{
-			const auto pos = getInt32();
+			const ULONG pos = static_cast<ULONG>(getInt32());
+
+			if (pos >= m_atoms.getCount())
+				malformed();
+
 			return m_atoms[pos];
 		}
 
@@ -152,7 +160,7 @@ namespace
 
 		string getString()
 		{
-			const auto length = getInt32();
+			const ULONG length = static_cast<ULONG>(getInt32());
 
 			if (m_data + length > m_end)
 				malformed();

From c5a30e38d7c7466b79e3adeb8991e2d459ac766e Mon Sep 17 00:00:00 2001
From: Andrey Kravchenko <xabbl4@gmail.com>
Date: Mon, 8 Jun 2026 17:53:08 +0300
Subject: [PATCH 2/2] Revert the length definition in the getString function
 back to how it was.

Also add a length check to the defineAtom function.
---
 src/jrd/replication/Applier.cpp | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/src/jrd/replication/Applier.cpp b/src/jrd/replication/Applier.cpp
index 1439722272f..5bd0f2bef20 100644
--- a/src/jrd/replication/Applier.cpp
+++ b/src/jrd/replication/Applier.cpp
@@ -160,9 +160,9 @@ namespace
 
 		string getString()
 		{
-			const ULONG length = static_cast<ULONG>(getInt32());
+			const auto length = getInt32();
 
-			if (m_data + length > m_end)
+			if (length <= 0 || m_end - m_data < length)
 				malformed();
 
 			const string str((const char*) m_data, length);
@@ -172,7 +172,7 @@ namespace
 
 		const UCHAR* getBinary(ULONG length)
 		{
-			if (m_data + length > m_end)
+			if (m_end - m_data < length)
 				malformed();
 
 			const auto ptr = m_data;
@@ -193,6 +193,9 @@ namespace
 		void defineAtom()
 		{
 			const auto length = getByte();
+			if (length <= 0)
+				malformed();
+
 			const auto ptr = getBinary(length);
 			const MetaString name((const char*) ptr, length);
 			m_atoms.add(name);