SQLite

Check-in [058a8006dc]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Ensure that a key comparison does not read a collating sequence past the end of the KeyInfo, even if the key field of an index is corrupted by having a string in the last column instead of the ROWID.
Downloads: Tarball | ZIP archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA3-256: 058a8006dceda78a894ea9446f057aa60b6d38e96506d4d91bda0ee2f9314ba3
User & Date: drh 2019-01-22 02:34:35.566
Context
2019-01-22
12:21
Fix another segfault caused by a corrupt fts3 database. (check-in: ba3b841272 user: dan tags: trunk)
02:34
Ensure that a key comparison does not read a collating sequence past the end of the KeyInfo, even if the key field of an index is corrupted by having a string in the last column instead of the ROWID. (check-in: 058a8006dc user: drh tags: trunk)
2019-01-21
23:18
Enhance the btree search routine so that it does early detection of impossibly large keys and thereby avoids a large malloc() call. (check-in: 3ecaaee69f user: drh tags: trunk)
Changes
Side-by-Side Diff Show Whitespace Changes Patch
Changes to src/vdbeaux.c.
3898
3899
3900
3901
3902
3903
3904
3905


3906
3907
3908
3909
3910
3911
3912
3898
3899
3900
3901
3902
3903
3904

3905
3906
3907
3908
3909
3910
3911
3912
3913







-
+
+








    /* Extract the values to be compared.
    */
    d1 += sqlite3VdbeSerialGet(&aKey1[d1], serial_type1, &mem1);

    /* Do the comparison
    */
    rc = sqlite3MemCompare(&mem1, &pPKey2->aMem[i], pKeyInfo->aColl[i]);
    rc = sqlite3MemCompare(&mem1, &pPKey2->aMem[i],
                           pKeyInfo->nAllField>i ? pKeyInfo->aColl[i] : 0);
    if( rc!=0 ){
      assert( mem1.szMalloc==0 );  /* See comment below */
      if( pKeyInfo->aSortOrder[i] ){
        rc = -rc;  /* Invert the result for DESC sort order. */
      }
      goto debugCompareEnd;
    }
4329
4330
4331
4332
4333
4334
4335
4336



4337
4338
4339

4340
4341
4342
4343
4344
4345
4346
4330
4331
4332
4333
4334
4335
4336

4337
4338
4339
4340
4341

4342
4343
4344
4345
4346
4347
4348
4349







-
+
+
+


-
+







        rc = -1;
      }else if( !(serial_type & 0x01) ){
        rc = +1;
      }else{
        mem1.n = (serial_type - 12) / 2;
        testcase( (d1+mem1.n)==(unsigned)nKey1 );
        testcase( (d1+mem1.n+1)==(unsigned)nKey1 );
        if( (d1+mem1.n) > (unsigned)nKey1 ){
        if( (d1+mem1.n) > (unsigned)nKey1
         || (pKeyInfo = pPKey2->pKeyInfo)->nAllField<=i
        ){
          pPKey2->errCode = (u8)SQLITE_CORRUPT_BKPT;
          return 0;                /* Corruption */
        }else if( (pKeyInfo = pPKey2->pKeyInfo)->aColl[i] ){
        }else if( pKeyInfo->aColl[i] ){
          mem1.enc = pKeyInfo->enc;
          mem1.db = pKeyInfo->db;
          mem1.flags = MEM_Str;
          mem1.z = (char*)&aKey1[d1];
          rc = vdbeCompareMemString(
              &mem1, pRhs, pKeyInfo->aColl[i], &pPKey2->errCode
          );