/ Check-in [f7e6cdc5]
Login
SQLite training in Houston TX on 2019-11-05 (details)
Part of the 2019 Tcl Conference

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Fix another case in fts5 where a corrupt database could cause a buffer overread.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA3-256: f7e6cdc5625664f449d0edbe39af2d45910c4137bfd856ae1f770dd826c138ff
User & Date: dan 2019-01-01 13:59:34
Context
2019-01-01
18:00
Ensure that when a new cursor is opened by OP_OpenDup, any existing cursor with the same id opened by a previous OP_OpenDup is closed first. check-in: 5c188361 user: dan tags: trunk
13:59
Fix another case in fts5 where a corrupt database could cause a buffer overread. check-in: f7e6cdc5 user: dan tags: trunk
2018-12-31
21:43
Fix harmless compiler warnings. check-in: b57c545a user: drh tags: trunk
Changes
Hide Diffs Unified Diffs Ignore Whitespace Patch

Changes to ext/fts5/fts5_index.c.

2307
2308
2309
2310
2311
2312
2313

2314
2315
2316
2317
2318
2319
2320
2321
2322
2323
2324
2325
2326
2327




2328
2329
2330
2331
2332
2333
2334
      if( pIter->pLeaf==0 ) return;
      a = pIter->pLeaf->p;
      if( fts5LeafIsTermless(pIter->pLeaf)==0 ){
        iPgidx = pIter->pLeaf->szLeaf;
        iPgidx += fts5GetVarint32(&pIter->pLeaf->p[iPgidx], iOff);
        if( iOff<4 || iOff>=pIter->pLeaf->szLeaf ){
          p->rc = FTS5_CORRUPT;

        }else{
          nKeep = 0;
          iTermOff = iOff;
          n = pIter->pLeaf->nn;
          iOff += fts5GetVarint32(&a[iOff], nNew);
          break;
        }
      }
    }while( 1 );
  }

 search_success:

  pIter->iLeafOffset = iOff + nNew;




  pIter->iTermLeafOffset = pIter->iLeafOffset;
  pIter->iTermLeafPgno = pIter->iLeafPgno;

  fts5BufferSet(&p->rc, &pIter->term, nKeep, pTerm);
  fts5BufferAppendBlob(&p->rc, &pIter->term, nNew, &a[iOff]);

  if( iPgidx>=n ){







>












<

>
>
>
>







2307
2308
2309
2310
2311
2312
2313
2314
2315
2316
2317
2318
2319
2320
2321
2322
2323
2324
2325
2326

2327
2328
2329
2330
2331
2332
2333
2334
2335
2336
2337
2338
      if( pIter->pLeaf==0 ) return;
      a = pIter->pLeaf->p;
      if( fts5LeafIsTermless(pIter->pLeaf)==0 ){
        iPgidx = pIter->pLeaf->szLeaf;
        iPgidx += fts5GetVarint32(&pIter->pLeaf->p[iPgidx], iOff);
        if( iOff<4 || iOff>=pIter->pLeaf->szLeaf ){
          p->rc = FTS5_CORRUPT;
          return;
        }else{
          nKeep = 0;
          iTermOff = iOff;
          n = pIter->pLeaf->nn;
          iOff += fts5GetVarint32(&a[iOff], nNew);
          break;
        }
      }
    }while( 1 );
  }

 search_success:

  pIter->iLeafOffset = iOff + nNew;
  if( pIter->iLeafOffset>n ){
    p->rc = FTS5_CORRUPT;
    return;
  }
  pIter->iTermLeafOffset = pIter->iLeafOffset;
  pIter->iTermLeafPgno = pIter->iLeafPgno;

  fts5BufferSet(&p->rc, &pIter->term, nKeep, pTerm);
  fts5BufferAppendBlob(&p->rc, &pIter->term, nNew, &a[iOff]);

  if( iPgidx>=n ){

Changes to ext/fts5/test/fts5corrupt3.test.

1627
1628
1629
1630
1631
1632
1633

































































































































1634




1635
1636
1637
| end crash-cf347c523f793c.db
}]} {}

do_catchsql_test 20.1 {
  SELECT * FROM t1 WHERE t1 MATCH 'abandon';
} {1 {vtable constructor failed: t1}}







































































































































sqlite3_fts5_may_be_corrupt 0
finish_test








>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>

>
>
>
>



1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
| end crash-cf347c523f793c.db
}]} {}

do_catchsql_test 20.1 {
  SELECT * FROM t1 WHERE t1 MATCH 'abandon';
} {1 {vtable constructor failed: t1}}

#-------------------------------------------------------------------------
reset_db
do_test 21.0 {
  sqlite3 db {}
  db deserialize [decode_hexdb {
| size 28672 pagesize 4096 filename c22b.db
| page 1 offset 0
|      0: 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00   SQLite format 3.
|     16: 10 00 01 01 00 40 20 20 00 00 00 01 00 00 00 07   .....@  ........
|     32: 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00   ................
|     48: 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00   ................
|     80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01   ................
|     96: 00 2e 30 38 0d 00 00 00 07 0d d2 00 0f c4 0f 6d   ..08...........m
|    112: 0f 02 0e ab 0e 4e 0d f6 0d d2 00 00 00 00 00 00   .....N..........
|   3536: 00 00 22 07 06 17 11 11 01 31 74 61 62 6c 65 74   .........1tablet
|   3552: 32 74 32 07 43 52 45 41 54 45 20 54 41 42 4c 45   2t2.CREATE TABLE
|   3568: 20 74 32 28 78 29 56 06 06 17 1f 1f 01 7d 74 61    t2(x)V.......ta
|   3584: 62 6c 65 74 31 5f 63 6f 6e 66 69 67 74 31 5f 63   blet1_configt1_c
|   3600: 6f 6e 66 69 67 06 43 52 45 41 54 45 20 54 41 42   onfig.CREATE TAB
|   3616: 4c 45 20 27 74 31 5f 63 6f 6e 66 69 67 27 28 6b   LE 't1_config'(k
|   3632: 20 50 52 49 4d 41 52 59 20 4b 45 59 2c 20 76 29    PRIMARY KEY, v)
|   3648: 20 57 49 54 48 4f 55 54 20 52 4f 57 49 44 5b 05    WITHOUT ROWID[.
|   3664: 07 17 21 21 01 81 01 74 61 62 6c 65 74 31 5f 64   ..!!...tablet1_d
|   3680: 6f 63 73 69 7a 65 74 31 5f 64 6f 63 73 69 7a 65   ocsizet1_docsize
|   3696: 05 43 52 45 41 54 45 20 54 41 42 4c 45 20 27 74   .CREATE TABLE 't
|   3712: 31 5f 64 6f 63 73 69 7a 65 27 28 69 64 20 49 4e   1_docsize'(id IN
|   3728: 54 45 47 45 52 20 50 52 49 4d 41 52 59 20 4b 45   TEGER PRIMARY KE
|   3744: 59 2c 20 73 7a 20 42 4c 4f 42 29 55 04 06 17 21   Y, sz BLOB)U...!
|   3760: 21 01 77 74 61 62 6c 65 74 31 5f 63 6f 6e 74 65   !.wtablet1_conte
|   3776: 6e 74 74 31 5f 63 6f 6e 74 65 6e 74 04 43 52 45   ntt1_content.CRE
|   3792: 41 54 45 20 54 41 42 4c 45 20 27 74 31 5f 63 6f   ATE TABLE 't1_co
|   3808: 6e 74 65 6e 74 27 28 69 64 20 49 4e 54 45 47 45   ntent'(id INTEGE
|   3824: 52 20 50 52 49 4d 41 52 59 20 4b 45 59 2c 20 63   R PRIMARY KEY, c
|   3840: 30 29 69 03 07 17 19 19 01 81 2d 74 61 62 6c 65   0)i.......-table
|   3856: 74 31 5f 69 64 78 74 31 5f 69 64 78 03 43 52 45   t1_idxt1_idx.CRE
|   3872: 41 54 45 20 54 41 42 4c 45 20 27 74 31 5f 69 64   ATE TABLE 't1_id
|   3888: 78 27 28 73 65 67 69 64 2c 20 74 65 72 6d 2c 20   x'(segid, term, 
|   3904: 70 67 6e 6f 2c 20 50 52 49 4d 41 52 59 20 4b 45   pgno, PRIMARY KE
|   3920: 59 28 73 65 67 69 64 2c 20 74 65 72 6d 29 29 20   Y(segid, term)) 
|   3936: 57 49 54 48 4f 55 54 20 52 4f 57 49 44 55 02 07   WITHOUT ROWIDU..
|   3952: 17 1b 1b 01 81 01 74 61 62 6c 65 74 31 5f 64 61   ......tablet1_da
|   3968: 74 61 74 31 5f 64 61 74 61 02 43 52 45 41 54 45   tat1_data.CREATE
|   3984: 20 54 41 42 4c 45 20 27 74 31 5f 64 61 74 61 27    TABLE 't1_data'
|   4000: 28 69 64 20 49 4e 54 45 47 45 52 20 50 52 49 4d   (id INTEGER PRIM
|   4016: 41 52 59 20 4b 45 59 2c 20 62 6c 6f 63 6b 20 42   ARY KEY, block B
|   4032: 4c 4f 42 29 3a 01 06 17 11 11 08 63 74 61 62 6c   LOB):......ctabl
|   4048: 65 74 31 74 31 43 52 45 41 54 45 20 56 49 52 54   et1t1CREATE VIRT
|   4064: 55 41 4c 20 54 41 42 4c 45 20 74 31 20 55 53 49   UAL TABLE t1 USI
|   4080: 4e 47 20 66 74 73 35 28 63 6f 6e 74 65 6e 74 29   NG fts5(content)
| page 2 offset 4096
|      0: 0d 0e 8e 00 06 0e 2f 00 0f e8 0e 2f 0f bd 0f 3b   ....../..../...;
|     16: 0e a5 0e 49 00 00 00 00 00 00 00 00 00 00 00 00   ...I............
|   3616: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18   ................
|   3632: 0a 03 00 36 00 00 00 00 01 04 04 00 04 01 01 01   ...6............
|   3648: 02 01 01 03 01 01 04 01 01 3e 90 80 80 80 80 01   .........>......
|   3664: 04 00 81 00 00 00 00 36 06 30 62 61 63 6b 75 05   .......6.0backu.
|   3680: 02 04 05 02 04 02 05 65 61 6d 65 72 05 02 02 05   .......eamer....
|   3696: 02 02 02 05 6f 6f 6d 65 72 05 01 05 01 02 05 75   ....oomer......u
|   3712: 6d 6d 65 72 05 02 03 05 02 03 04 0d 0d 0b 0f 27   mmer...........'
|   3728: 00 17 30 00 00 00 00 01 03 03 00 03 01 01 01 02   ..0.............
|   3744: 01 01 03 01 01 7b 8c 80 80 80 80 01 04 00 81 7a   ...............z
|   3760: 00 00 00 6d 06 30 61 62 61 63 6b 0d 02 07 04 04   ...m.0aback.....
|   3776: 6e 64 6f 6e 0d 02 05 02 05 63 74 69 76 65 09 02   ndon.....ctive..
|   3792: 02 04 02 0b 02 04 6c 70 68 61 0d 04 02 0a 02 03   ......lpha......
|   3808: 74 6f 6d 0b 02 02 02 02 09 05 02 69 63 0c 02 02   tom........ic...
|   3824: 01 06 62 61 63 6b 75 70 0d 02 04 02 05 6f 6f 6d   ..backup.....oom
|   3840: 65 72 0a 02 02 03 02 08 01 07 63 68 61 6e 6e 65   er........channe
|   3856: 6c 0d 02 03 01 04 74 65 73 74 0d 02 06 04 0a 09   l.....test......
|   3872: 0d 0a 0b 07 0b 0d 0c 0f ef 00 14 2a 00 00 00 00   ...........*....
|   3888: 01 02 02 00 02 01 01 01 02 01 01 7b 88 80 80 80   ................
|   3904: 80 01 04 00 81 7a 00 00 00 6d 06 30 61 62 61 63   .....z...m.0abac
|   3920: 6b 08 02 07 04 04 6e 64 6f 6e 08 02 05 02 05 63   k.....ndon.....c
|   3936: 74 69 76 65 04 02 02 04 02 0b 02 04 6c 70 68 61   tive........lpha
|   3952: 08 04 02 0a 02 03 74 6f 6d 06 02 02 02 02 09 05   ......tom.......
|   3968: 02 69 63 07 02 02 01 06 62 61 63 6b 75 70 08 02   .ic.....backup..
|   3984: 04 02 05 6f 6f 6d 65 72 05 02 02 03 02 08 01 07   ...oomer........
|   4000: 63 68 61 6e 6e 65 6c 08 02 03 01 04 74 65 73 74   channel.....test
|   4016: 08 02 06 04 0a 09 0d 0a 0b 07 0b 0d 0c 24 84 80   .............$..
|   4032: 80 80 80 01 03 00 4e 00 00 00 1e 06 30 61 62 61   ......N.....0aba
|   4048: 63 6b 01 02 02 04 02 66 74 00 02 22 04 04 6e 64   ck.....ft.....nd
|   4064: 6f 6e 03 02 02 08 0a 07 05 01 03 00 10 0d 23 00   on............#.
|   4080: 00 00 11 24 00 00 00 00 01 01 01 00 01 01 01 01   ...$............
| page 3 offset 8192
|      0: 0a 00 00 00 04 0f e5 00 0f fa 0f f3 0f ec 0f e5   ................
|   4064: 00 00 00 00 00 06 04 01 0c 01 04 02 06 04 01 0c   ................
|   4080: 01 03 02 06 04 01 0c 01 02 02 05 04 09 0c 01 02   ................
| page 4 offset 12288
|      0: 0d 0f 5a 00 0d 0e ce 00 0f f6 0f ec 0f e0 0f d5   ..Z.............
|     16: 0e e7 0f c1 0f b6 0f 70 0f 65 0e ce 0f 51 0f 46   .......p.e...Q.F
|     32: 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
|   3776: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 17 0a   ................
|   3792: 03 00 35 62 65 61 6d 65 72 20 62 75 6d 6d 65 72   ..5beamer bummer
|   3808: 20 62 61 63 6b 75 29 17 05 03 00 35 62 65 61 6d    backu)....5beam
|   3824: 65 72 20 62 75 6d 6d 65 72 20 62 61 63 6b 75 29   er bummer backu)
|   3840: 44 0d 04 00 81 0d 61 6c 70 68 61 20 63 68 61 6e   D.....alpha chan
|   3856: 6e 65 6c 20 62 61 63 6b 75 70 20 61 62 61 6e 64   nel backup aband
|   3872: 6f 6e 20 74 65 73 74 20 61 62 61 63 6b 20 62 6f   on test aback bo
|   3888: 6f 6d 65 72 20 61 74 6f 6d 20 61 6c 70 68 61 20   omer atom alpha 
|   3904: 61 63 74 69 76 65 09 0c 03 00 19 61 74 6f 6d 69   active.....atomi
|   3920: 63 07 0b 03 00 15 61 74 6f 6d 0f ca 00 0b 19 62   c.....atom.....b
|   3936: 6f 6f 6d 65 72 09 09 03 00 19 61 63 74 69 76 65   oomer.....active
|   3952: 44 08 04 00 81 0d 61 6c 70 68 61 20 63 68 61 6e   D.....alpha chan
|   3968: 6e 65 6c 20 62 61 63 6b 75 70 20 61 62 61 6e 64   nel backup aband
|   3984: 6f 6e 20 74 65 73 74 20 61 62 61 63 6b 20 62 6f   on test aback bo
|   4000: 6f 6d 65 72 20 61 74 6f 6d 20 61 6c 70 68 61 20   omer atom alpha 
|   4016: 61 63 74 69 76 65 09 07 03 00 19 61 74 6f 6d 69   active.....atomi
|   4032: 63 07 06 03 00 15 61 74 6f 6d 00 00 00 0b 19 62   c.....atom.....b
|   4048: 6f 6f 6d 65 72 09 04 03 00 19 61 63 74 69 76 65   oomer.....active
|   4064: 0a 03 03 00 1b 61 62 61 6e 64 6f 6e 08 02 03 00   .....abandon....
|   4080: 17 61 62 61 66 74 08 01 03 00 17 61 62 61 63 6b   .abaft.....aback
| page 5 offset 16384
|      0: 0d 00 00 00 0d 0f b2 00 0f fa 0f f4 0f ee 0f e8   ................
|     16: 0f e2 0f dc 0f d6 0f d0 0f ca 0f c4 0f be 0f b8   ................
|     32: 0f b2 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
|   4016: 00 00 04 0d 03 00 0e 0a 04 0c 03 00 0e 01 04 0b   ................
|   4032: 03 00 0e 01 04 0a 03 00 0e 03 04 09 03 00 0e 01   ................
|   4048: 04 08 03 00 0e 0a 04 07 03 00 0e 01 04 06 03 00   ................
|   4064: 0e 01 04 05 03 00 0e 03 04 04 03 00 0e 01 04 03   ................
|   4080: 03 00 0e 01 04 02 03 00 0e 01 04 01 03 00 0e 01   ................
| page 6 offset 20480
|      0: 0a 00 00 00 01 0f f4 00 0f f4 00 00 00 00 00 00   ................
|   4080: 00 00 00 00 0b 03 1b 01 76 65 72 73 69 6f 6e 04   ........version.
| page 7 offset 24576
|      0: 0d 00 00 00 03 0f d6 00 0f f4 0f e1 0f d6 00 00   ................
|   4048: 00 00 00 00 00 00 09 03 02 1b 72 65 62 75 69 6c   ..........rebuil
|   4064: 64 11 02 02 2b 69 6e 74 65 67 72 69 74 79 2d 63   d...+integrity-c
|   4080: 68 65 63 6b 0a 01 02 1d 6f 70 74 69 6d 69 7a 65   heck....optimize
| end c22b.db
}]} {}

do_catchsql_test 21.1 {
  DELETE FROM t1 WHERE t1 MATCH 'ab*ndon';
} {1 {database disk image is malformed}}

sqlite3_fts5_may_be_corrupt 0
finish_test