SQLite

Check-in [240a4a48]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Fix a case where a corrupt stat4 record could go unrecognized due to integer overflow.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA3-256: 240a4a48b27a2b1070bba6d7da76a8df8e3f1808e262045d7ad2cf910df08f3d
User & Date: dan 2024-04-24 14:18:20
Context
2024-04-24
16:36
If a RETURNING clause contains a subquery that references the table that is being updated in the statement that includes the RETURNING clause, then mark the subquery as correlated so that it is recomputed for each result and not just computed once and reused. See forum post 2c83569ce8945d39. (check-in: 9ea6bcc8 user: drh tags: trunk)
14:18
Fix a case where a corrupt stat4 record could go unrecognized due to integer overflow. (check-in: 240a4a48 user: dan tags: trunk)
11:51
Add comments linking the assert() added in [cef4d9e3ba586735] to the places where the precondition that the assert() tests are actually required. (check-in: 6f0e7e19 user: drh tags: trunk)
Changes
Hide Diffs Unified Diffs Ignore Whitespace Patch

Changes to src/vdbemem.c. 

1945
1946
1947
1948
1949
1950
1951
1952
1953
1954
1955
1956
1957
1958
1959
1960
1961
1962

  sqlite3 *db,                    /* Database handle */
  const void *pRec,               /* Pointer to buffer containing record */
  int nRec,                       /* Size of buffer pRec in bytes */
  int iCol,                       /* Column to extract */
  sqlite3_value **ppVal           /* OUT: Extracted value */
){
  u32 t = 0;                      /* a column type code */
  int nHdr;                       /* Size of the header in the record */
  int iHdr;                       /* Next unread header byte */
  int iField;                     /* Next unread data byte */
  int szField = 0;                /* Size of the current data field */
  int i;                          /* Column index */
  u8 *a = (u8*)pRec;              /* Typecast byte array */
  Mem *pMem = *ppVal;             /* Write result into this Mem object */

  assert( iCol>0 );
  iHdr = getVarint32(a, nHdr);
  if( nHdr>nRec || iHdr>=nHdr ) return SQLITE_CORRUPT_BKPT;








|
|
|
|








1945
1946
1947
1948
1949
1950
1951
1952
1953
1954
1955
1956
1957
1958
1959
1960
1961
1962

  sqlite3 *db,                    /* Database handle */
  const void *pRec,               /* Pointer to buffer containing record */
  int nRec,                       /* Size of buffer pRec in bytes */
  int iCol,                       /* Column to extract */
  sqlite3_value **ppVal           /* OUT: Extracted value */
){
  u32 t = 0;                      /* a column type code */
  u32 nHdr;                       /* Size of the header in the record */
  u32 iHdr;                       /* Next unread header byte */
  i64 iField;                     /* Next unread data byte */
  u32 szField = 0;                /* Size of the current data field */
  int i;                          /* Column index */
  u8 *a = (u8*)pRec;              /* Typecast byte array */
  Mem *pMem = *ppVal;             /* Write result into this Mem object */

  assert( iCol>0 );
  iHdr = getVarint32(a, nHdr);
  if( nHdr>nRec || iHdr>=nHdr ) return SQLITE_CORRUPT_BKPT;

Changes to test/corruptL.test. 

1500
1501
1502
1503
1504
1505
1506





















































































1507
1508

  WHERE name='i1';
}
db close
sqlite3 db test.db
do_catchsql_test 19.4 {
  PRAGMA integrity_check;
} {1 {database disk image is malformed}}






















































































finish_test








>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>



1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593

  WHERE name='i1';
}
db close
sqlite3 db test.db
do_catchsql_test 19.4 {
  PRAGMA integrity_check;
} {1 {database disk image is malformed}}

#-------------------------------------------------------------------------
reset_db
do_test 18.0 {
  sqlite3 db {}
  db deserialize [decode_hexdb {
.open --hexdb
| size 20480 pagesize 4096 filename crash-a4150b729051e4.db
| page 1 offset 0
|      0: 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00   SQLite format 3.
|     16: 10 00 01 01 00 40 20 20 00 00 00 00 00 00 00 05   .....@  ........
|     32: 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 04   ................
|     48: 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00   ................
|     64: 00 00 00 00 00 00 00 00 00 00 ff f0 00 00 00 00   ................
|     96: 00 00 00 00 0d 00 00 00 04 0e e5 00 0f c2 0f 75   ...............u
|    112: 0f 19 0e e5 00 00 00 00 00 00 00 01 00 00 00 00   ................
|   3808: 00 00 00 00 00 32 04 06 17 17 11 01 4b 69 6e 64   .....2......Kind
|   3824: 65 78 74 31 61 62 63 74 31 05 43 52 45 41 54 45   ext1abct1.CREATE
|   3840: 20 49 4e 44 45 58 20 74 31 61 62 63 20 4f 4e 20    INDEX t1abc ON 
|   3856: 74 31 28 61 2c 62 2c 63 29 5a 03 06 17 25 25 01   t1(a,b,c)Z...%%.
|   3872: 79 74 61 62 6c 65 73 71 6c 69 74 65 5f 73 74 61   ytablesqlite_sta
|   3888: 74 34 73 71 6c 69 74 65 5f 73 74 61 74 34 04 43   t4sqlite_stat4.C
|   3904: 52 45 41 54 45 20 54 41 42 4c 45 20 73 71 6c 69   REATE TABLE sqli
|   3920: 74 65 5f 73 74 61 74 34 28 74 62 6c 2c 69 64 78   te_stat4(tbl,idx
|   3936: 2c 6e 65 71 2c 6e 6c 74 2c 6e 64 6c 74 2c 73 61   ,neq,nlt,ndlt,sa
|   3952: 6d 70 6c 65 29 4b 02 06 17 25 25 01 5b 74 61 62   mple)K...%%.[tab
|   3968: 6c 65 73 71 6c 69 74 65 5f 73 74 61 74 31 73 71   lesqlite_stat1sq
|   3984: 6c 69 74 65 5f 73 74 61 74 31 03 43 52 45 41 54   lite_stat1.CREAT
|   4000: 45 20 54 41 42 4c 45 20 73 71 6c 69 74 65 5f 73   E TABLE sqlite_s
|   4016: 74 61 74 31 28 74 62 6c 2c 69 64 78 2c 73 74 61   tat1(tbl,idx,sta
|   4032: 74 29 3c 01 06 17 11 11 01 65 74 61 62 6c 65 74   t)<......etablet
|   4048: 31 74 31 02 43 52 45 41 54 45 20 54 41 42 4c 45   1t1.CREATE TABLE
|   4064: 20 74 31 28 61 20 54 45 58 54 2c 20 62 20 49 4e    t1(a TEXT, b IN
|   4080: 54 2c 20 63 20 49 4e 54 2c 20 64 20 49 4e 54 29   T, c INT, d INT)
| page 2 offset 4096
|      0: 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
|   4000: 0b 07 05 13 01 01 01 62 63 64 64 06 0b 0c 06 05   .......bcdd.....
|   4016: 13 02 01 01 64 65 66 01 59 09 0a 0c 05 05 13 03   ....def.Y.......
|   4032: 01 01 64 65 66 02 6f 08 09 0c 04 05 13 02 01 01   ..def.o.........
|   4048: 61 62 63 01 59 07 08 0c 03 05 13 02 01 01 87 62   abc.Y..........b
|   4064: 63 00 ea 06 07 0c 02 05 13 02 01 01 61 62 63 00   c...........abc.
|   4080: ea 06 06 0b 01 05 13 01 01 01 61 62 63 7b 04 04   ..........abc...
| page 3 offset 8192
|      0: 0d 00 00 00 01 0f e0 00 0f e1 00 00 00 00 00 00   ................
|   4064: 00 1d 01 04 11 17 31 74 31 74 31 61 62 63 31 30   ......1t1t1abc10
|   4080: 30 30 30 20 35 30 30 30 20 32 30 30 30 20 31 30   000 5000 2000 10
| page 4 offset 12288
|      0: 0d 00 00 00 07 0e ac 00 0f d1 0f a0 0f 6f 0f 3e   .............o.>
|     16: 0f 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
|   3744: 00 00 00 00 00 00 00 00 00 00 00 00 2f 07 07 11   ............/...
|   3760: 17 1b 1b 1b 24 74 31 74 31 61 62 63 32 20 31 20   ....$t1t1abc2 1 
|   3776: 31 20 31 35 20 36 20 36 20 36 32 20 35 20 36 20   1 15 6 6 62 5 6 
|   3792: 36 05 13 02 01 01 64 65 66 02 37 08 05 2f 06 07   6.....def.7../..
|   3808: 11 17 1b 1b 1b 24 74 41 74 31 61 62 63 32 20 31   .....$tAt1abc2 1
|   3824: 20 31 20 31 35 20 35 20 55 20 35 32 20 34 20 35    1 15 5 U 52 4 5
|   3840: 20 35 05 13 02 01 01 64 65 66 01 59 09 06 2e 05    5.....def.Y....
|   3856: 07 11 17 1b 1b 1b 22 74 31 74 31 61 62 63 31 20   .......t1t1abc1 
|   3872: 31 20 31 20 31 34 20 34 20 34 20 34 31 20 33 20   1 1 14 4 4 41 3 
|   3888: 34 20 34 08 b3 cd f0 f1 62 63 64 64 06 07 2f 05   4 4.....bcdd../.
|   3904: 07 11 17 1b 1b 1b 24 74 37 74 31 61 62 63 34 20   ......$t7t1abc4 
|   3920: 31 20 31 20 31 30 20 33 20 33 20 33 30 20 32 20   1 1 10 3 3 30 2 
|   3936: 33 20 33 05 13 02 01 01 61 62 63 01 59 07 04 2f   3 3.....abc.Y../
|   3952: 03 07 11 17 1b 1b 1b 24 74 31 74 31 61 62 63 34   .......$t1t1abc4
|   3968: 20 32 20 31 20 31 30 20 31 20 32 20 32 30 20 31    2 1 10 1 2 20 1
|   3984: 20 32 20 32 05 13 02 01 01 61 62 63 00 ea 06 03    2 2.....abc....
|   4000: 2f 02 07 11 17 1b 1b 1b 24 74 31 74 31 61 62 63   /.......$t1t1abc
|   4016: 34 20 32 20 31 20 31 30 20 31 20 31 20 31 30 20   4 2 1 10 1 1 10 
|   4032: 31 20 31 20 31 05 13 02 01 01 61 62 63 00 ea 05   1 1 1.....abc...
|   4048: 02 2d 01 07 11 17 1b 1b 1b 20 74 31 74 31 61 62   .-....... t1t1ab
|   4064: 63 34 20 31 20 31 20 31 30 20 30 20 30 1f 30 30   c4 1 1 10 0 0.00
|   4080: 20 30 20 30 20 30 05 13 01 01 09 61 62 63 7b 04    0 0 0.....abc..
| page 5 offset 16384
|      0: 0a 00 00 00 07 0f a8 00 0f f5 00 00 00 00 00 00   ................
|   4000: 00 00 00 00 00 00 00 00 0c 05 13 02 01 01 64 65   ..............de
|   4016: 66 02 37 08 05 0c 05 13 02 01 01 64 65 66 01 59   f.7........def.Y
|   4032: 09 06 0b 05 12 01 01 01 62 63 64 64 06 07 0c 05   ........bcdd....
|   4048: 13 02 01 01 61 62 63 01 59 07 01 2c 05 13 02 01   ....abc.Y..,....
|   4064: 01 61 62 63 00 ea 06 03 0c 05 13 02 01 01 61 62   .abc..........ab
|   4080: 63 00 ea 05 00 00 00 00 00 00 00 00 00 00 00 00   c...............
| end crash-a4150b729051e4.db
}]} {}

do_catchsql_test 18.1 {
  SELECT a FROM t1 WHERE b GLOB b AND b GLOB '0^x]␅6␚xz]';
} {1 {database disk image is malformed}}

finish_test