Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
Comment: | Fix a case introduced by [4cd2a967] where a corrupt database could cause a buffer overwrite. |
---|---|
Downloads: | Tarball | ZIP archive |
Timelines: | family | ancestors | descendants | both | trunk |
Files: | files | file ages | folders |
SHA1: |
5d0455fece514552ad7f283d56526f53 |
User & Date: | dan 2017-03-03 20:02:53.439 |
Context
2017-03-03
| ||
20:43 | Fix another corner-case for the 'start of ...' modifier in the date/time functions. Related to ticket [6097cb92745327a1]. (check-in: 8831f4393d user: drh tags: trunk) | |
20:02 | Fix a case introduced by [4cd2a967] where a corrupt database could cause a buffer overwrite. (check-in: 5d0455fece user: dan tags: trunk) | |
16:51 | Before beginning an incremental checkpoint in RBU, sync the directory containing the target database file. This ensures that the new directory entry created by renaming the *-oal file to *-wal is synced to disk. (check-in: 915a9a2878 user: dan tags: trunk) | |
Changes
Changes to src/btree.c.
︙ | ︙ | |||
1351 1352 1353 1354 1355 1356 1357 1358 1359 1360 1361 1362 1363 1364 1365 1366 1367 1368 1369 1370 1371 1372 1373 1374 1375 1376 1377 1378 1379 1380 1381 1382 1383 1384 1385 1386 1387 1388 1389 1390 | temp = 0; src = data = pPage->aData; hdr = pPage->hdrOffset; cellOffset = pPage->cellOffset; nCell = pPage->nCell; assert( nCell==get2byte(&data[hdr+3]) ); iCellFirst = cellOffset + 2*nCell; /* This block handles pages with two or fewer free blocks and nMaxFrag ** or fewer fragmented bytes. In this case it is faster to move the ** two (or one) blocks of cells using memmove() and add the required ** offsets to each pointer in the cell-pointer array than it is to ** reconstruct the entire page. */ if( (int)data[hdr+7]<=nMaxFrag ){ int iFree = get2byte(&data[hdr+1]); if( iFree ){ int iFree2 = get2byte(&data[iFree]); if( 0==iFree2 || (data[iFree2]==0 && data[iFree2+1]==0) ){ u8 *pEnd = &data[cellOffset + nCell*2]; u8 *pAddr; int sz2 = 0; int sz = get2byte(&data[iFree+2]); int top = get2byte(&data[hdr+5]); if( iFree2 ){ sz2 = get2byte(&data[iFree2+2]); memmove(&data[iFree+sz+sz2], &data[iFree+sz], iFree2-(iFree+sz)); sz += sz2; } cbrk = top+sz; memmove(&data[cbrk], &data[top], iFree-top); for(pAddr=&data[cellOffset]; pAddr<pEnd; pAddr+=2){ pc = get2byte(pAddr); if( pc<iFree ){ put2byte(pAddr, pc+sz); } else if( pc<iFree2 ){ put2byte(pAddr, pc+sz2); } } goto defragment_out; } } } | > > > > > > > > > > > > > > > < < | 1351 1352 1353 1354 1355 1356 1357 1358 1359 1360 1361 1362 1363 1364 1365 1366 1367 1368 1369 1370 1371 1372 1373 1374 1375 1376 1377 1378 1379 1380 1381 1382 1383 1384 1385 1386 1387 1388 1389 1390 1391 1392 1393 1394 1395 1396 1397 1398 1399 1400 1401 1402 1403 1404 1405 1406 1407 1408 1409 1410 1411 1412 1413 1414 | temp = 0; src = data = pPage->aData; hdr = pPage->hdrOffset; cellOffset = pPage->cellOffset; nCell = pPage->nCell; assert( nCell==get2byte(&data[hdr+3]) ); iCellFirst = cellOffset + 2*nCell; usableSize = pPage->pBt->usableSize; /* This block handles pages with two or fewer free blocks and nMaxFrag ** or fewer fragmented bytes. In this case it is faster to move the ** two (or one) blocks of cells using memmove() and add the required ** offsets to each pointer in the cell-pointer array than it is to ** reconstruct the entire page. */ if( (int)data[hdr+7]<=nMaxFrag ){ int iFree = get2byte(&data[hdr+1]); if( iFree ){ int iFree2 = get2byte(&data[iFree]); /* pageFindSlot() has already verified that free blocks are sorted ** in order of offset within the page, and that no block extends ** past the end of the page. Provided the two free slots do not ** overlap, this guarantees that the memmove() calls below will not ** overwrite the usableSize byte buffer, even if the database page ** is corrupt. */ assert( iFree2==0 || iFree2>iFree ); assert( iFree+get2byte(&data[iFree+2]) <= usableSize ); assert( iFree2==0 || iFree2+get2byte(&data[iFree2+2]) <= usableSize ); if( 0==iFree2 || (data[iFree2]==0 && data[iFree2+1]==0) ){ u8 *pEnd = &data[cellOffset + nCell*2]; u8 *pAddr; int sz2 = 0; int sz = get2byte(&data[iFree+2]); int top = get2byte(&data[hdr+5]); if( iFree2 ){ if( iFree+sz>iFree2 ) return SQLITE_CORRUPT_BKPT; sz2 = get2byte(&data[iFree2+2]); assert( iFree+sz+sz2+iFree2-(iFree+sz) <= usableSize ); memmove(&data[iFree+sz+sz2], &data[iFree+sz], iFree2-(iFree+sz)); sz += sz2; } cbrk = top+sz; assert( cbrk+(iFree-top) <= usableSize ); memmove(&data[cbrk], &data[top], iFree-top); for(pAddr=&data[cellOffset]; pAddr<pEnd; pAddr+=2){ pc = get2byte(pAddr); if( pc<iFree ){ put2byte(pAddr, pc+sz); } else if( pc<iFree2 ){ put2byte(pAddr, pc+sz2); } } goto defragment_out; } } } cbrk = usableSize; iCellLast = usableSize - 4; for(i=0; i<nCell; i++){ u8 *pAddr; /* The i-th cell pointer */ pAddr = &data[cellOffset + i*2]; pc = get2byte(pAddr); testcase( pc==iCellFirst ); testcase( pc==iCellLast ); /* These conditions have already been verified in btreeInitPage() |
︙ | ︙ |
Added test/corruptK.test.
> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 | # 2017-03-03 # # The author disclaims copyright to this source code. In place of # a legal notice, here is a blessing: # # May you do good and not evil. # May you find forgiveness for yourself and forgive others. # May you share freely, never taking more than you give. # #*********************************************************************** # set testdir [file dirname $argv0] source $testdir/tester.tcl set testprefix corruptK if {[permutation]=="mmap"} { finish_test return } # This module uses hard-coded offsets which do not work if the reserved_bytes # value is nonzero. if {[nonzero_reserved_bytes]} {finish_test; return;} database_may_be_corrupt # Initialize the database. # do_execsql_test 1.1 { PRAGMA page_size=1024; PRAGMA auto_vacuum=0; CREATE TABLE t1(x); INSERT INTO t1 VALUES(randomblob(20)); INSERT INTO t1 VALUES(randomblob(100)); -- make this into a free slot INSERT INTO t1 VALUES(randomblob(27)); -- this one will be corrupt INSERT INTO t1 VALUES(randomblob(800)); DELETE FROM t1 WHERE rowid=2; -- free the 100 byte slot PRAGMA page_count } {2} # Corrupt the database so that the blob stored immediately before # the free slot (rowid==3) has an overlarge length field. So that # we can use sqlite3_blob_write() to manipulate the size field of # the free slot. # # Then use sqlite3_blob_write() to set the size of said free slot # to 24 bytes (instead of the actual 100). # # Then use the new 24 byte slot. Leaving the in-memory version of # the page with zero free slots and a large nFree value. Then try # to allocate another slot to get to defragmentPage(). # do_test 1.2 { db close hexio_write test.db [expr 1024 + 0x360] 21 hexio_write test.db [expr 1024 + 0x363] [format %x [expr 31*2 + 12]] sqlite3 db test.db set fd [db incrblob t1 x 3] fconfigure $fd -translation binary -encoding binary seek $fd 30 puts -nonewline $fd "\x18" close $fd } {} do_execsql_test 1.3 { INSERT INTO t1 VALUES(randomblob(20)); } do_catchsql_test 1.4 { INSERT INTO t1 VALUES(randomblob(90)); } {1 {database disk image is malformed}} #------------------------------------------------------------------------- reset_db do_execsql_test 2.1 { PRAGMA page_size=1024; PRAGMA auto_vacuum=0; CREATE TABLE t1(x); INSERT INTO t1 VALUES(randomblob(20)); INSERT INTO t1 VALUES(randomblob(20)); -- free this one INSERT INTO t1 VALUES(randomblob(20)); INSERT INTO t1 VALUES(randomblob(20)); -- and this one INSERT INTO t1 VALUES(randomblob(20)); -- corrupt this one. DELETE FROM t1 WHERE rowid IN(2, 4); PRAGMA page_count } {2} do_test 2.2 { db close hexio_write test.db [expr 1024 + 0x388] 53 hexio_write test.db [expr 1024 + 0x38A] 03812C sqlite3 db test.db set fd [db incrblob t1 x 5] fconfigure $fd -translation binary -encoding binary seek $fd 22 puts -nonewline $fd "\x5d" close $fd } {} do_catchsql_test 2.3 { INSERT INTO t1 VALUES(randomblob(900)); } {1 {database disk image is malformed}} finish_test |