SQLite

Check-in [e01fdbf9]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Fix a buffer overread that could occur in fts3 with corrupt %_stat records.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA3-256: e01fdbf9f700e1bd9dd5283c65547d10d26ce4f4506d3cfef9e1087aecdc2305
User & Date: dan 2019-12-04 03:46:50
Context
2019-12-04
14:26
Fix an assert() failure that could occur in ALTER TABLE code when the schema contains a view that uses a CTE. (check-in: 75b04a4b user: dan tags: trunk)
03:46
Fix a buffer overread that could occur in fts3 with corrupt %_stat records. (check-in: e01fdbf9 user: dan tags: trunk)
03:31
Fix an incorrect NEVER() macro. (check-in: 96b6a76d user: drh tags: trunk)
Changes
Hide Diffs Unified Diffs Ignore Whitespace Patch

Changes to ext/fts3/fts3_write.c. 

4846
4847
4848
4849
4850
4851
4852
4853

4854


4855
4856
4857
4858
4859

4860
4861
4862
4863
4864
4865
4866

** If no error occurs, return SQLITE_OK. If the hint blob in *pHint does
** not contain at least two valid varints, return SQLITE_CORRUPT_VTAB.
*/
static int fts3IncrmergeHintPop(Blob *pHint, i64 *piAbsLevel, int *pnInput){
  const int nHint = pHint->n;
  int i;

  i = pHint->n-2;

  while( i>0 && (pHint->a[i-1] & 0x80) ) i--;


  while( i>0 && (pHint->a[i-1] & 0x80) ) i--;

  pHint->n = i;
  i += sqlite3Fts3GetVarint(&pHint->a[i], piAbsLevel);
  i += fts3GetVarint32(&pHint->a[i], pnInput);

  if( i!=nHint ) return FTS_CORRUPT_VTAB;

  return SQLITE_OK;
}


/*








|
>

>
>





>








4846
4847
4848
4849
4850
4851
4852
4853
4854
4855
4856
4857
4858
4859
4860
4861
4862
4863
4864
4865
4866
4867
4868
4869
4870

** If no error occurs, return SQLITE_OK. If the hint blob in *pHint does
** not contain at least two valid varints, return SQLITE_CORRUPT_VTAB.
*/
static int fts3IncrmergeHintPop(Blob *pHint, i64 *piAbsLevel, int *pnInput){
  const int nHint = pHint->n;
  int i;

  i = pHint->n-1;
  if( (pHint->a[i] & 0x80) ) return FTS_CORRUPT_VTAB;
  while( i>0 && (pHint->a[i-1] & 0x80) ) i--;
  if( i==0 ) return FTS_CORRUPT_VTAB;
  i--;
  while( i>0 && (pHint->a[i-1] & 0x80) ) i--;

  pHint->n = i;
  i += sqlite3Fts3GetVarint(&pHint->a[i], piAbsLevel);
  i += fts3GetVarint32(&pHint->a[i], pnInput);
  assert( i<=nHint );
  if( i!=nHint ) return FTS_CORRUPT_VTAB;

  return SQLITE_OK;
}


/*

Changes to test/fts3corrupt4.test. 

5762
5763
5764
5765
5766
5767
5768












5769
5770
5771

do_execsql_test 32.1 {
  UPDATE t1 SET b=quote(zeroblob(6.51158946e+5)) WHERE a MATCH '*t*';
} {}

do_catchsql_test 32.2 {
  UPDATE t1 SET b=((- '' )) WHERE a MATCH '0*t';
} {1 {database disk image is malformed}}














finish_test








>
>
>
>
>
>
>
>
>
>
>
>




5762
5763
5764
5765
5766
5767
5768
5769
5770
5771
5772
5773
5774
5775
5776
5777
5778
5779
5780
5781
5782
5783

do_execsql_test 32.1 {
  UPDATE t1 SET b=quote(zeroblob(6.51158946e+5)) WHERE a MATCH '*t*';
} {}

do_catchsql_test 32.2 {
  UPDATE t1 SET b=((- '' )) WHERE a MATCH '0*t';
} {1 {database disk image is malformed}}

#-------------------------------------------------------------------------
#
reset_db
do_catchsql_test 32.0 {
  CREATE VIRTUAL TABLE f USING fts3(a,b,tokenize=icu);
  CREATE TABLE 'f_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
  CREATE TABLE 'f_stat'(id INTEGER PRIMARY KEY, value BLOB);
  INSERT INTO f VALUES (1, '1234');
  INSERT INTO f_stat VALUES (1,x'0000000165656565db6569746565c5c52bc5c5c53e3a003bc502ffffffffc5c5c53e3a003bc502fffffffffb8b2afbfb6565f0740100650000000165656565db6569746565c5c52bc5c5c53e3a003bc502ffffffffc5c5c53e3a003b8b00c5c5c5c5c5bfc5');
  INSERT INTO f(f) VALUES ('merge=198,49');
} {1 {database disk image is malformed}}


finish_test