Off-by-one bug in sqlite3_rsync

(1) By Peter Alm (peteralm) on 2025-06-03 07:41:35 [source]

Hi,

We've discovered an off by one bug in sqlite3_rsync when the origin database has exactly one extra page compared to the replica database, causing the final page to not by synced.

Proposed fix:

diff -urN sqlite-src-3500000.orig/tool/sqlite3_rsync.c sqlite-src-3500000/tool/sqlite3_rsync.c
--- sqlite-src-3500000.orig/tool/sqlite3_rsync.c	2025-05-29 16:34:54.000000000 +0200
+++ sqlite-src-3500000/tool/sqlite3_rsync.c	2025-06-03 09:37:25.248384025 +0200
@@ -1538,7 +1538,7 @@
           sqlite3_finalize(pInsHash);
           pCkHash = 0;
           pInsHash = 0;
-          if( mxHash<p->nPage ){
+          if( mxHash<=p->nPage ){
             runSql(p, "WITH RECURSIVE c(n) AS"
                       " (VALUES(%d) UNION ALL SELECT n+1 FROM c WHERE n<%d)"
                       " INSERT INTO badHash SELECT n, 1 FROM c",

Best regards, Peter

(2) By Richard Hipp (drh) on 2025-06-03 10:51:21 in reply to 1 [link] [source]

Thanks for the bug report and the suggested patch, which seems to be correct. The suggested change has now been implemented on trunk and on branch-3.50.

https://sqlite.org/src/info/27d9e8e79b921c4a