/ Check-in [28ddecff]
Login
SQLite training in Houston TX on 2019-11-05 (details)
Part of the 2019 Tcl Conference

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Earlier detection of corruption in sqlite3VdbeRecordCompare() in order to avoid a potential buffer overread.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA1: 28ddecff044dbc2dff50a7d8406ab67dfe06587f
User & Date: drh 2014-03-26 14:51:07
References
2014-03-26
15:14
Add an extra test case for the potential buffer overread patched by [28ddecff04]. check-in: f585f5d7 user: dan tags: trunk
Context
2014-03-26
16:22
Fix a potential buffer overread that could have occurred when searching a corrupt database file. check-in: db293547 user: drh tags: branch-3.8.4
15:05
Add a test case to verify that the previous change avoids excess buffer overread in sqlite3VdbeRecordCompare(). check-in: 2b28e8d5 user: drh tags: trunk
14:51
Earlier detection of corruption in sqlite3VdbeRecordCompare() in order to avoid a potential buffer overread. check-in: 28ddecff user: drh tags: trunk
12:02
Add an assert() and a comment to clarify the operation of the vdbeRecordCompareInt() routine. check-in: 851abdb8 user: drh tags: trunk
Changes
Hide Diffs Unified Diffs Ignore Whitespace Patch

Changes to src/vdbeaux.c.

3430
3431
3432
3433
3434
3435
3436

3437
3438
3439
3440
3441
3442
3443
    szHdr1 = aKey1[0];
    d1 = szHdr1 + sqlite3VdbeSerialTypeLen(s1);
    i = 1;
    pRhs++;
  }else{
    idx1 = getVarint32(aKey1, szHdr1);
    d1 = szHdr1;

    i = 0;
  }

  VVA_ONLY( mem1.zMalloc = 0; ) /* Only needed by assert() statements */
  assert( pPKey2->pKeyInfo->nField+pPKey2->pKeyInfo->nXField>=pPKey2->nField 
       || CORRUPT_DB );
  assert( pPKey2->pKeyInfo->aSortOrder!=0 );







>







3430
3431
3432
3433
3434
3435
3436
3437
3438
3439
3440
3441
3442
3443
3444
    szHdr1 = aKey1[0];
    d1 = szHdr1 + sqlite3VdbeSerialTypeLen(s1);
    i = 1;
    pRhs++;
  }else{
    idx1 = getVarint32(aKey1, szHdr1);
    d1 = szHdr1;
    if( d1>(unsigned)nKey1 ) return 1;  /* Corruption */
    i = 0;
  }

  VVA_ONLY( mem1.zMalloc = 0; ) /* Only needed by assert() statements */
  assert( pPKey2->pKeyInfo->nField+pPKey2->pKeyInfo->nXField>=pPKey2->nField 
       || CORRUPT_DB );
  assert( pPKey2->pKeyInfo->aSortOrder!=0 );

Changes to test/corruptI.test.

36
37
38
39
40
41
42
43
44
45
46
47
48

49
50
51
52
} {}
db close

do_test 1.2 {
  set offset [hexio_get_int [hexio_read test.db [expr 2*1024 + 8] 2]]
  set off [expr 2*1024 + $offset + 1]
  hexio_write test.db $off FF06

  breakpoint

  sqlite3 db test.db
  catchsql { SELECT * FROM t1 WHERE a = 10 }
} {1 {database disk image is malformed}}



finish_test








<
<
<


<
>



<
36
37
38
39
40
41
42



43
44

45
46
47
48

} {}
db close

do_test 1.2 {
  set offset [hexio_get_int [hexio_read test.db [expr 2*1024 + 8] 2]]
  set off [expr 2*1024 + $offset + 1]
  hexio_write test.db $off FF06



  sqlite3 db test.db
  catchsql { SELECT * FROM t1 WHERE a = 10 }

} {0 {}}


finish_test