/ Check-in [5d0455fe]
Login
Home Timeline Branches

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Fix a case introduced by [4cd2a967] where a corrupt database could cause a buffer overwrite.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA1: 5d0455fece514552ad7f283d56526f53d7c688bd
User & Date: dan 2017-03-03 20:02:53
Context
2017-03-03
20:43
Fix another corner-case for the 'start of ...' modifier in the date/time functions. Related to ticket [6097cb92745327a1]. (check-in: 8831f439 user: drh tags: trunk)
20:02
Fix a case introduced by [4cd2a967] where a corrupt database could cause a buffer overwrite. (check-in: 5d0455fe user: dan tags: trunk)
16:51
Before beginning an incremental checkpoint in RBU, sync the directory containing the target database file. This ensures that the new directory entry created by renaming the *-oal file to *-wal is synced to disk. (check-in: 915a9a28 user: dan tags: trunk)
Changes
Hide Diffs Unified Diffs Ignore Whitespace Patch

Changes to src/btree.c. 

1351
1352
1353
1354
1355
1356
1357

1358
1359
1360
1361
1362
1363
1364
1365
1366
1367











1368
1369
1370
1371
1372
1373
1374

1375

1376
1377
1378
1379

1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401

  temp = 0;
  src = data = pPage->aData;
  hdr = pPage->hdrOffset;
  cellOffset = pPage->cellOffset;
  nCell = pPage->nCell;
  assert( nCell==get2byte(&data[hdr+3]) );
  iCellFirst = cellOffset + 2*nCell;


  /* This block handles pages with two or fewer free blocks and nMaxFrag
  ** or fewer fragmented bytes. In this case it is faster to move the
  ** two (or one) blocks of cells using memmove() and add the required
  ** offsets to each pointer in the cell-pointer array than it is to 
  ** reconstruct the entire page.  */
  if( (int)data[hdr+7]<=nMaxFrag ){
    int iFree = get2byte(&data[hdr+1]);
    if( iFree ){
      int iFree2 = get2byte(&data[iFree]);











      if( 0==iFree2 || (data[iFree2]==0 && data[iFree2+1]==0) ){
        u8 *pEnd = &data[cellOffset + nCell*2];
        u8 *pAddr;
        int sz2 = 0;
        int sz = get2byte(&data[iFree+2]);
        int top = get2byte(&data[hdr+5]);
        if( iFree2 ){

          sz2 = get2byte(&data[iFree2+2]);

          memmove(&data[iFree+sz+sz2], &data[iFree+sz], iFree2-(iFree+sz));
          sz += sz2;
        }
        cbrk = top+sz;

        memmove(&data[cbrk], &data[top], iFree-top);
        for(pAddr=&data[cellOffset]; pAddr<pEnd; pAddr+=2){
          pc = get2byte(pAddr);
          if( pc<iFree ){ put2byte(pAddr, pc+sz); }
          else if( pc<iFree2 ){ put2byte(pAddr, pc+sz2); }
        }
        goto defragment_out;
      }
    }
  }

  usableSize = pPage->pBt->usableSize;
  cbrk = usableSize;
  iCellLast = usableSize - 4;

  for(i=0; i<nCell; i++){
    u8 *pAddr;     /* The i-th cell pointer */
    pAddr = &data[cellOffset + i*2];
    pc = get2byte(pAddr);
    testcase( pc==iCellFirst );
    testcase( pc==iCellLast );
    /* These conditions have already been verified in btreeInitPage()








>










>
>
>
>
>
>
>
>
>
>
>







>

>




>











<


<








1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405

1406
1407

1408
1409
1410
1411
1412
1413
1414

  temp = 0;
  src = data = pPage->aData;
  hdr = pPage->hdrOffset;
  cellOffset = pPage->cellOffset;
  nCell = pPage->nCell;
  assert( nCell==get2byte(&data[hdr+3]) );
  iCellFirst = cellOffset + 2*nCell;
  usableSize = pPage->pBt->usableSize;

  /* This block handles pages with two or fewer free blocks and nMaxFrag
  ** or fewer fragmented bytes. In this case it is faster to move the
  ** two (or one) blocks of cells using memmove() and add the required
  ** offsets to each pointer in the cell-pointer array than it is to 
  ** reconstruct the entire page.  */
  if( (int)data[hdr+7]<=nMaxFrag ){
    int iFree = get2byte(&data[hdr+1]);
    if( iFree ){
      int iFree2 = get2byte(&data[iFree]);

      /* pageFindSlot() has already verified that free blocks are sorted
      ** in order of offset within the page, and that no block extends
      ** past the end of the page. Provided the two free slots do not 
      ** overlap, this guarantees that the memmove() calls below will not
      ** overwrite the usableSize byte buffer, even if the database page
      ** is corrupt.  */
      assert( iFree2==0 || iFree2>iFree );
      assert( iFree+get2byte(&data[iFree+2]) <= usableSize );
      assert( iFree2==0 || iFree2+get2byte(&data[iFree2+2]) <= usableSize );

      if( 0==iFree2 || (data[iFree2]==0 && data[iFree2+1]==0) ){
        u8 *pEnd = &data[cellOffset + nCell*2];
        u8 *pAddr;
        int sz2 = 0;
        int sz = get2byte(&data[iFree+2]);
        int top = get2byte(&data[hdr+5]);
        if( iFree2 ){
          if( iFree+sz>iFree2 ) return SQLITE_CORRUPT_BKPT;
          sz2 = get2byte(&data[iFree2+2]);
          assert( iFree+sz+sz2+iFree2-(iFree+sz) <= usableSize );
          memmove(&data[iFree+sz+sz2], &data[iFree+sz], iFree2-(iFree+sz));
          sz += sz2;
        }
        cbrk = top+sz;
        assert( cbrk+(iFree-top) <= usableSize );
        memmove(&data[cbrk], &data[top], iFree-top);
        for(pAddr=&data[cellOffset]; pAddr<pEnd; pAddr+=2){
          pc = get2byte(pAddr);
          if( pc<iFree ){ put2byte(pAddr, pc+sz); }
          else if( pc<iFree2 ){ put2byte(pAddr, pc+sz2); }
        }
        goto defragment_out;
      }
    }
  }


  cbrk = usableSize;
  iCellLast = usableSize - 4;

  for(i=0; i<nCell; i++){
    u8 *pAddr;     /* The i-th cell pointer */
    pAddr = &data[cellOffset + i*2];
    pc = get2byte(pAddr);
    testcase( pc==iCellFirst );
    testcase( pc==iCellLast );
    /* These conditions have already been verified in btreeInitPage()

Added test/corruptK.test. 





































































































































































































































>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113

# 2017-03-03
#
# The author disclaims copyright to this source code.  In place of
# a legal notice, here is a blessing:
#
#    May you do good and not evil.
#    May you find forgiveness for yourself and forgive others.
#    May you share freely, never taking more than you give.
#
#***********************************************************************
#

set testdir [file dirname $argv0]
source $testdir/tester.tcl
set testprefix corruptK

if {[permutation]=="mmap"} {
  finish_test
  return
}

# This module uses hard-coded offsets which do not work if the reserved_bytes
# value is nonzero.
if {[nonzero_reserved_bytes]} {finish_test; return;}
database_may_be_corrupt

# Initialize the database.
# 
do_execsql_test 1.1 {
  PRAGMA page_size=1024;
  PRAGMA auto_vacuum=0;
  CREATE TABLE t1(x);

  INSERT INTO t1 VALUES(randomblob(20));
  INSERT INTO t1 VALUES(randomblob(100));   -- make this into a free slot
  INSERT INTO t1 VALUES(randomblob(27));    -- this one will be corrupt
  INSERT INTO t1 VALUES(randomblob(800));

  DELETE FROM t1 WHERE rowid=2;  -- free the 100 byte slot
  PRAGMA page_count
} {2}


# Corrupt the database so that the blob stored immediately before 
# the free slot (rowid==3) has an overlarge length field. So that
# we can use sqlite3_blob_write() to manipulate the size field of
# the free slot.
#
# Then use sqlite3_blob_write() to set the size of said free slot
# to 24 bytes (instead of the actual 100).
#
# Then use the new 24 byte slot. Leaving the in-memory version of
# the page with zero free slots and a large nFree value. Then try
# to allocate another slot to get to defragmentPage().
#
do_test 1.2 {
  db close
  hexio_write test.db [expr 1024 + 0x360] 21
  hexio_write test.db [expr 1024 + 0x363] [format %x [expr 31*2 + 12]]
  sqlite3 db test.db

  set fd [db incrblob t1 x 3]
  fconfigure $fd -translation binary -encoding binary
  seek $fd 30
  puts -nonewline $fd "\x18"
  close $fd
} {}
do_execsql_test 1.3 {
  INSERT INTO t1 VALUES(randomblob(20));
}
do_catchsql_test 1.4 {
  INSERT INTO t1 VALUES(randomblob(90));
} {1 {database disk image is malformed}}

#-------------------------------------------------------------------------
reset_db
do_execsql_test 2.1 {
  PRAGMA page_size=1024;
  PRAGMA auto_vacuum=0;
  CREATE TABLE t1(x);

  INSERT INTO t1 VALUES(randomblob(20));
  INSERT INTO t1 VALUES(randomblob(20));    -- free this one
  INSERT INTO t1 VALUES(randomblob(20));
  INSERT INTO t1 VALUES(randomblob(20));    -- and this one
  INSERT INTO t1 VALUES(randomblob(20));    -- corrupt this one.

  DELETE FROM t1 WHERE rowid IN(2, 4);
  PRAGMA page_count
} {2}

do_test 2.2 {
  db close
  hexio_write test.db [expr 1024 + 0x388] 53
  hexio_write test.db [expr 1024 + 0x38A] 03812C

  sqlite3 db test.db
  set fd [db incrblob t1 x 5]
  fconfigure $fd -translation binary -encoding binary

  seek $fd 22
  puts -nonewline $fd "\x5d"
  close $fd
} {}

do_catchsql_test 2.3 {
  INSERT INTO t1 VALUES(randomblob(900));
} {1 {database disk image is malformed}}




finish_test

This page was generated in about 0.018s by Fossil 2.12 [19677d7629] 2020-08-08 01:55:52