/ Check-in [5df02f50]
Login
Home Timeline Branches Tags Tickets Wiki More...
SQLite training in Houston TX on 2019-11-05 (details)
Part of the 2019 Tcl Conference

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Fix potential 32-bit integer overflow problems on the offset and length parameters to sqlite3_blob_read() and sqlite3_blob_write(). For sqlite3_blob_open(), make sure the *ppBlob return parameter is zeroed if the interface fails with SQLITE_MISUSE.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA1: 5df02f50f8348dfde4fc15126abc7b7ef7803e69
User & Date: drh 2015-02-07 15:16:35
Context
2015-02-09
10:20
Fix over-length source code lines in resolver.c. No logic changes. check-in: c12edb85 user: drh tags: trunk
2015-02-07
15:30
Merge increment blob I/O fixes from trunk. check-in: 292cf68b user: drh tags: apple-osx
15:16
Fix potential 32-bit integer overflow problems on the offset and length parameters to sqlite3_blob_read() and sqlite3_blob_write(). For sqlite3_blob_open(), make sure the *ppBlob return parameter is zeroed if the interface fails with SQLITE_MISUSE. check-in: 5df02f50 user: drh tags: trunk
2015-02-06
14:51
Change the name of ".info" to ".dbinfo" and add an optional second argument which is the ATTACH-ed DB about which information is provided. Provide ".indexes" as an alternative name to the legacy ".indices" command. check-in: 0f65a7e2 user: drh tags: trunk
Changes
Hide Diffs Unified Diffs Ignore Whitespace Patch

Changes to src/vdbeblob.c. 

150
151
152
153
154
155
156






157
158
159
160
161
162
163
164
165
166
167
168
169
...
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383

  int rc = SQLITE_OK;
  char *zErr = 0;
  Table *pTab;
  Parse *pParse = 0;
  Incrblob *pBlob = 0;

#ifdef SQLITE_ENABLE_API_ARMOR






  if( !sqlite3SafetyCheckOk(db) || ppBlob==0 || zTable==0 ){
    return SQLITE_MISUSE_BKPT;
  }
#endif
  flags = !!flags;                /* flags = (flags ? 1 : 0); */
  *ppBlob = 0;

  sqlite3_mutex_enter(db->mutex);

  pBlob = (Incrblob *)sqlite3DbMallocZero(db, sizeof(Incrblob));
  if( !pBlob ) goto blob_open_out;
  pParse = sqlite3StackAllocRaw(db, sizeof(*pParse));
  if( !pParse ) goto blob_open_out;
................................................................................
  sqlite3 *db;

  if( p==0 ) return SQLITE_MISUSE_BKPT;
  db = p->db;
  sqlite3_mutex_enter(db->mutex);
  v = (Vdbe*)p->pStmt;

  if( n<0 || iOffset<0 || (iOffset+n)>p->nByte ){
    /* Request is out of range. Return a transient error. */
    rc = SQLITE_ERROR;
  }else if( v==0 ){
    /* If there is no statement handle, then the blob-handle has
    ** already been invalidated. Return SQLITE_ABORT in this case.
    */
    rc = SQLITE_ABORT;








>
>
>
>
>
>
|




<







 







|








150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167

168
169
170
171
172
173
174
...
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388

  int rc = SQLITE_OK;
  char *zErr = 0;
  Table *pTab;
  Parse *pParse = 0;
  Incrblob *pBlob = 0;

#ifdef SQLITE_ENABLE_API_ARMOR
  if( ppBlob==0 ){
    return SQLITE_MISUSE_BKPT;
  }
#endif
  *ppBlob = 0;
#ifdef SQLITE_ENABLE_API_ARMOR
  if( !sqlite3SafetyCheckOk(db) || zTable==0 ){
    return SQLITE_MISUSE_BKPT;
  }
#endif
  flags = !!flags;                /* flags = (flags ? 1 : 0); */


  sqlite3_mutex_enter(db->mutex);

  pBlob = (Incrblob *)sqlite3DbMallocZero(db, sizeof(Incrblob));
  if( !pBlob ) goto blob_open_out;
  pParse = sqlite3StackAllocRaw(db, sizeof(*pParse));
  if( !pParse ) goto blob_open_out;
................................................................................
  sqlite3 *db;

  if( p==0 ) return SQLITE_MISUSE_BKPT;
  db = p->db;
  sqlite3_mutex_enter(db->mutex);
  v = (Vdbe*)p->pStmt;

  if( n<0 || iOffset<0 || ((sqlite3_int64)iOffset+n)>p->nByte ){
    /* Request is out of range. Return a transient error. */
    rc = SQLITE_ERROR;
  }else if( v==0 ){
    /* If there is no statement handle, then the blob-handle has
    ** already been invalidated. Return SQLITE_ABORT in this case.
    */
    rc = SQLITE_ABORT;

Changes to test/incrblob2.test. 

319
320
321
322
323
324
325









326
327
328
329
330
331













332
333
334
335
336
337
338

  close $rdHandle
} {}

do_test incrblob2-6.2 {
  set rdHandle [db incrblob -readonly t1 data 1]
  sqlite3_blob_read $rdHandle 0 2
} {AB}










do_test incrblob2-6.3 {
  set wrHandle [db incrblob t1 data 1]
  sqlite3_blob_write $wrHandle 0 ZZZZZZZZZZ
  sqlite3_blob_read $rdHandle 2 4
} {ZZZZ}














do_test incrblob2-6.4 {
  close $wrHandle
  close $rdHandle
} {}

sqlite3_memory_highwater 1








>
>
>
>
>
>
>
>
>






>
>
>
>
>
>
>
>
>
>
>
>
>








319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360

  close $rdHandle
} {}

do_test incrblob2-6.2 {
  set rdHandle [db incrblob -readonly t1 data 1]
  sqlite3_blob_read $rdHandle 0 2
} {AB}

do_test incrblob2-6.2b {
  set rc [catch {
    # Prior to 2015-02-07, the following caused a segfault due to
    # integer overflow.
    sqlite3_blob_read $rdHandle 2147483647 2147483647
  } errmsg]
  lappend rc $errmsg
} {1 SQLITE_ERROR}

do_test incrblob2-6.3 {
  set wrHandle [db incrblob t1 data 1]
  sqlite3_blob_write $wrHandle 0 ZZZZZZZZZZ
  sqlite3_blob_read $rdHandle 2 4
} {ZZZZ}

do_test incrblob2-6.3b {
  set rc [catch {
    # Prior to 2015-02-07, the following caused a segfault due to
    # integer overflow.
    sqlite3_blob_write $wrHandle 2147483647 YYYYYYYYYYYYYYYYYY
  } errmsg]
  lappend rc $errmsg
} {1 SQLITE_ERROR}
do_test incrblob2-6.3c {
  sqlite3_blob_read $rdHandle 2 4
} {ZZZZ}


do_test incrblob2-6.4 {
  close $wrHandle
  close $rdHandle
} {}

sqlite3_memory_highwater 1

This page was generated in about 0.007s by Fossil 2.10 [9d9ef82234] 2019-10-04 21:41:13