/ Check-in [0f850a25]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Prevent unsigned 32-bit integer overflow from leading to a buffer overread inside of an assert(). The problem fixed here is no reachable in production code.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA3-256: 0f850a25d67a752fe1e9059c0c3f78e00c222113e556a7605fd3c50817b573cb
User & Date: drh 2019-01-12 21:30:26
Context
2019-01-13
00:58
Move a local variable declaration into the outermost scope in which it is used. This fixes an ASAN warning. check-in: ac3b6021 user: drh tags: trunk
2019-01-12
21:30
Prevent unsigned 32-bit integer overflow from leading to a buffer overread inside of an assert(). The problem fixed here is no reachable in production code. check-in: 0f850a25 user: drh tags: trunk
20:55
Fix another problem with handling corrupt records in fts5_decode(). check-in: 726e398b user: dan tags: trunk
Changes
Hide Diffs Side-by-Side Diffs Ignore Whitespace Patch

Changes to src/vdbeaux.c.

  3879   3879   
  3880   3880       /* Verify that there is enough key space remaining to avoid
  3881   3881       ** a buffer overread.  The "d1+serial_type1+2" subexpression will
  3882   3882       ** always be greater than or equal to the amount of required key space.
  3883   3883       ** Use that approximation to avoid the more expensive call to
  3884   3884       ** sqlite3VdbeSerialTypeLen() in the common case.
  3885   3885       */
  3886         -    if( d1+serial_type1+2>(u32)nKey1
  3887         -     && d1+sqlite3VdbeSerialTypeLen(serial_type1)>(u32)nKey1 
         3886  +    if( d1+(u64)serial_type1+2>(u64)nKey1
         3887  +     && d1+(u64)sqlite3VdbeSerialTypeLen(serial_type1)>(u64)nKey1 
  3888   3888       ){
  3889   3889         break;
  3890   3890       }
  3891   3891   
  3892   3892       /* Extract the values to be compared.
  3893   3893       */
  3894   3894       d1 += sqlite3VdbeSerialGet(&aKey1[d1], serial_type1, &mem1);