SQLite

Check-in [cb50509020]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Avoid reading off the front of a page buffer when balancing a corrupt btree page.
Downloads: Tarball | ZIP archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA3-256: cb50509020d952fa9efed8df7fa08b07b71ae9bdbdefea216b6e660863291039
User & Date: drh 2019-01-14 05:48:10.140
Context
2019-01-14
11:56
Have fts3 ignore empty sets of parenthesis if built with SQLITE_ENABLE_FTS3_PARENTHESIS. (check-in: c93c6b45a3 user: dan tags: trunk)
05:48
Avoid reading off the front of a page buffer when balancing a corrupt btree page. (check-in: cb50509020 user: drh tags: trunk)
2019-01-13
20:23
In dbfuzz2, avoid using a malloc in the LLVMFuzzerInitialize() initializer routine, so that no memory leaks are reported. Also, show the version of SQLite being used when the -v option is on. (check-in: 824f932469 user: drh tags: trunk)
Changes
Unified Diff Ignore Whitespace Patch
Changes to src/btree.c. 
6659
6660
6661
6662
6663
6664
6665
6666
6667






6668


6669
6670
6671
6672
6673
6674
6675

    if( rc ){ *pRC = rc; return; }
    /* The allocateSpace() routine guarantees the following properties
    ** if it returns successfully */
    assert( idx >= 0 );
    assert( idx >= pPage->cellOffset+2*pPage->nCell+2 || CORRUPT_DB );
    assert( idx+sz <= (int)pPage->pBt->usableSize );
    pPage->nFree -= (u16)(2 + sz);
    memcpy(&data[idx], pCell, sz);
    if( iChild ){






      put4byte(&data[idx], iChild);


    }
    pIns = pPage->aCellIdx + i*2;
    memmove(pIns+2, pIns, 2*(pPage->nCell - i));
    put2byte(pIns, idx);
    pPage->nCell++;
    /* increment the cell count */
    if( (++data[pPage->hdrOffset+4])==0 ) data[pPage->hdrOffset+3]++;








<

>
>
>
>
>
>

>
>








6659
6660
6661
6662
6663
6664
6665

6666
6667
6668
6669
6670
6671
6672
6673
6674
6675
6676
6677
6678
6679
6680
6681
6682

    if( rc ){ *pRC = rc; return; }
    /* The allocateSpace() routine guarantees the following properties
    ** if it returns successfully */
    assert( idx >= 0 );
    assert( idx >= pPage->cellOffset+2*pPage->nCell+2 || CORRUPT_DB );
    assert( idx+sz <= (int)pPage->pBt->usableSize );
    pPage->nFree -= (u16)(2 + sz);

    if( iChild ){
      /* In a corrupt database where an entry in the cell index section of
      ** a btree page has a value of 3 or less, the pCell value might point
      ** as many as 4 bytes in front of the start of the aData buffer for
      ** the source page.  Make sure this does not cause problems by not
      ** reading the first 4 bytes */
      memcpy(&data[idx+4], pCell+4, sz-4);
      put4byte(&data[idx], iChild);
    }else{
      memcpy(&data[idx], pCell, sz);
    }
    pIns = pPage->aCellIdx + i*2;
    memmove(pIns+2, pIns, 2*(pPage->nCell - i));
    put2byte(pIns, idx);
    pPage->nCell++;
    /* increment the cell count */
    if( (++data[pPage->hdrOffset+4])==0 ) data[pPage->hdrOffset+3]++;