Add test databases with empty map/array last in metadata

These databases reproduce the off-by-one bug in libmaxminddb's
get_entry_data_list() validation. When a 0-length map or array is
the last field in metadata, offset_to_next equals data_section_size
exactly, which the >= check incorrectly rejects.

ENG-4322

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: oschwald

bad-data/libmaxminddb/libmaxminddb-empty-array-last-in-metadata.mmdb

@@ -29,6 +29,8 @@ func (w *Writer) WriteBadDataDBs(target string) error {
 		{"libmaxminddb-oversized-map.mmdb", buildOversizedMapDB()},
 		{"libmaxminddb-uint64-max-epoch.mmdb", buildUint64MaxEpochDB()},
 		{"libmaxminddb-corrupt-search-tree.mmdb", buildCorruptSearchTreeDB()},
+		{"libmaxminddb-empty-map-last-in-metadata.mmdb", buildEmptyMapLastInMetadataDB()},
+		{"libmaxminddb-empty-array-last-in-metadata.mmdb", buildEmptyArrayLastInMetadataDB()},
 	} {
 		if err := writeRawDB(target, db.name, db.data); err != nil {
 			return fmt.Errorf("writing %s: %w", db.name, err)

bad-data/libmaxminddb/libmaxminddb-empty-map-last-in-metadata.mmdb

@@ -208,6 +208,140 @@ func buildUint64MaxEpochDB() []byte {
 	return buf[:pos]
 }
 
+// writeMetadataBlockEmptyMapLast writes a metadata block where the last field
+// is "description" (an empty map). This triggers the off-by-one bug where
+// offset_to_next == data_section_size for a 0-length container.
+func writeMetadataBlockEmptyMapLast(buf []byte, nodeCount uint32, buildEpoch uint64) int {
+	pos := 0
+
+	copy(buf[pos:], metadataMarker)
+	pos += len(metadataMarker)
+
+	pos += writeMap(buf[pos:], 9)
+
+	pos += writeMetaKey(buf[pos:], "binary_format_major_version")
+	pos += writeUint16(buf[pos:], 2)
+
+	pos += writeMetaKey(buf[pos:], "binary_format_minor_version")
+	pos += writeUint16(buf[pos:], 0)
+
+	pos += writeMetaKey(buf[pos:], "build_epoch")
+	pos += writeUint64(buf[pos:], buildEpoch)
+
+	pos += writeMetaKey(buf[pos:], "database_type")
+	pos += writeString(buf[pos:], "Test")
+
+	pos += writeMetaKey(buf[pos:], "ip_version")
+	pos += writeUint16(buf[pos:], 4)
+
+	pos += writeMetaKey(buf[pos:], "languages")
+	pos += writeEmptyArray(buf[pos:])
+
+	pos += writeMetaKey(buf[pos:], "node_count")
+	pos += writeUint32(buf[pos:], nodeCount)
+
+	pos += writeMetaKey(buf[pos:], "record_size")
+	pos += writeUint16(buf[pos:], 24)
+
+	// description last — empty map at the very end of the data section
+	pos += writeMetaKey(buf[pos:], "description")
+	pos += writeMap(buf[pos:], 0)
+
+	return pos
+}
+
+// writeMetadataBlockEmptyArrayLast writes a metadata block where the last
+// field is "languages" (an empty array).
+func writeMetadataBlockEmptyArrayLast(buf []byte, nodeCount uint32, buildEpoch uint64) int {
+	pos := 0
+
+	copy(buf[pos:], metadataMarker)
+	pos += len(metadataMarker)
+
+	pos += writeMap(buf[pos:], 9)
+
+	pos += writeMetaKey(buf[pos:], "binary_format_major_version")
+	pos += writeUint16(buf[pos:], 2)
+
+	pos += writeMetaKey(buf[pos:], "binary_format_minor_version")
+	pos += writeUint16(buf[pos:], 0)
+
+	pos += writeMetaKey(buf[pos:], "build_epoch")
+	pos += writeUint64(buf[pos:], buildEpoch)
+
+	pos += writeMetaKey(buf[pos:], "database_type")
+	pos += writeString(buf[pos:], "Test")
+
+	pos += writeMetaKey(buf[pos:], "description")
+	pos += writeMap(buf[pos:], 0)
+
+	pos += writeMetaKey(buf[pos:], "ip_version")
+	pos += writeUint16(buf[pos:], 4)
+
+	pos += writeMetaKey(buf[pos:], "node_count")
+	pos += writeUint32(buf[pos:], nodeCount)
+
+	pos += writeMetaKey(buf[pos:], "record_size")
+	pos += writeUint16(buf[pos:], 24)
+
+	// languages last — empty array at the very end of the data section
+	pos += writeMetaKey(buf[pos:], "languages")
+	pos += writeEmptyArray(buf[pos:])
+
+	return pos
+}
+
+// buildEmptyMapLastInMetadataDB creates a valid MMDB where the metadata
+// map's last field is "description" (an empty map {}). This reproduces the
+// off-by-one bug in get_entry_data_list() where offset == data_section_size
+// is incorrectly rejected for 0-length containers.
+func buildEmptyMapLastInMetadataDB() []byte {
+	const nodeCount = 1
+	const recordValue = nodeCount + 16
+
+	buf := make([]byte, 1024)
+	pos := 0
+
+	pos += writeSearchTree(buf[pos:], recordValue)
+
+	// 16-byte null separator
+	pos += dataSeparatorSize
+
+	// Data: a simple map with one string entry
+	pos += writeMap(buf[pos:], 1)
+	pos += writeString(buf[pos:], "ip")
+	pos += writeString(buf[pos:], "test")
+
+	pos += writeMetadataBlockEmptyMapLast(buf[pos:], nodeCount, 1_000_000_000)
+
+	return buf[:pos]
+}
+
+// buildEmptyArrayLastInMetadataDB creates a valid MMDB where the metadata
+// map's last field is "languages" (an empty array []). Tests the array
+// validation path of the same off-by-one bug.
+func buildEmptyArrayLastInMetadataDB() []byte {
+	const nodeCount = 1
+	const recordValue = nodeCount + 16
+
+	buf := make([]byte, 1024)
+	pos := 0
+
+	pos += writeSearchTree(buf[pos:], recordValue)
+
+	// 16-byte null separator
+	pos += dataSeparatorSize
+
+	// Data: a simple map with one string entry
+	pos += writeMap(buf[pos:], 1)
+	pos += writeString(buf[pos:], "ip")
+	pos += writeString(buf[pos:], "test")
+
+	pos += writeMetadataBlockEmptyArrayLast(buf[pos:], nodeCount, 1_000_000_000)
+
+	return buf[:pos]
+}
+
 // buildCorruptSearchTreeDB creates a complete MMDB where the metadata claims
 // node_count = 100 but the actual search tree has only 1 node worth of real
 // data (6 bytes for 24-bit records). The file is padded so MMDB_open