Reader::open_mmap is unsound because it allows the caller to violate MmapOptions::map invariants

[paolobarbolini]

The Reader::open_mmap function is declared as a safe function that internally opens a file and calls MmapOptions::new().map(&file). The docs for MmapOptions say:

All file-backed memory map constructors are marked unsafe because of the potential for Undefined Behavior (UB) using the map if the underlying file is subsequently modified, in or out of process. Applications must consider the risk and take appropriate precautions when using file-backed maps. Solutions such as file permissions, locks or process-private (e.g. unlinked) files exist but are platform specific and limited.

maxminddb makes no effort in preventing the file from being modified from under it, leading to Reader::open_mmap being unsound. For the implementation to be sound the function must either be unsafe and require the user verify that their code abides by the memmap2 invariants, or effort to lock the file and make it read-only must be done.