- If (keysize+datasize)%(bsize=14)==0, insertion of a `big key' would cause

an invariant (actually, an ugly hack) to fail, and all Hell would break
   loose.

   When deleting a big key, the offset of an empty page should be bsize, not
   bsize-1; otherwise an insertion into the empty page will cause the new key to
   be elongated by 1 byte.

   Make the packing more dense in a couple of cases.

 - fix NULL dereference exposed on big bsize values;

Obtained from:	NetBSD via OpenBSD

lib/libc/db/hash/hash_bigkey.c

@@ -118,18 +118,30 @@ __big_insert(HTAB *hashp, BUFHEAD *bufp, const DBT *key, const DBT *val)
 			return (-1);
 		n = p[0];
 		if (!key_size) {
-			if (FREESPACE(p)) {
-				move_bytes = MIN(FREESPACE(p), val_size);
+			space = FREESPACE(p);
+			if (space) {
+				move_bytes = MIN(space, val_size);
+				/*
+				 * If the data would fit exactly in the
+				 * remaining space, we must overflow it to the
+				 * next page; otherwise the invariant that the
+				 * data must end on a page with FREESPACE
+				 * non-zero would fail.
+				 */
+				if (space == val_size && val_size == val->size)
+					goto toolarge;
 				off = OFFSET(p) - move_bytes;
-				p[n] = off;
 				memmove(cp + off, val_data, move_bytes);
 				val_data += move_bytes;
 				val_size -= move_bytes;
+				p[n] = off;
 				p[n - 2] = FULL_KEY_DATA;
 				FREESPACE(p) = FREESPACE(p) - move_bytes;
 				OFFSET(p) = off;
-			} else
+			} else {
+			toolarge:
 				p[n - 2] = FULL_KEY;
+			}
 		}
 		p = (u_int16_t *)bufp->page;
 		cp = bufp->page;
@@ -239,12 +251,12 @@ __big_delete(HTAB *hashp, BUFHEAD *bufp)
 	n -= 2;
 	bp[0] = n;
 	FREESPACE(bp) = hashp->BSIZE - PAGE_META(n);
-	OFFSET(bp) = hashp->BSIZE - 1;
+	OFFSET(bp) = hashp->BSIZE;
 
 	bufp->flags |= BUF_MOD;
 	if (rbufp)
 		__free_ovflpage(hashp, rbufp);
-	if (last_bfp != rbufp)
+	if (last_bfp && last_bfp != rbufp)
 		__free_ovflpage(hashp, last_bfp);
 
 	hashp->NKEYS--;