/ Check-in [4b05caeb]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Initialize the 18-byte overrun area on the buffer used to reconstruct overflow btree cells during a btree search, to avoid a harmless jump-depends-on-uninit-values warning.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA3-256: 4b05caeb1b9767ba58cb4261ecc22cdd495216b3258d45f2165cdbd3ea079495
User & Date: drh 2019-05-16 20:36:07
Context
2019-05-16
20:40
Add test cases to test/fuzzdata7.db for (harmless) dbfuzz2 finds. check-in: 1eb2a628 user: drh tags: trunk
20:36
Initialize the 18-byte overrun area on the buffer used to reconstruct overflow btree cells during a btree search, to avoid a harmless jump-depends-on-uninit-values warning. check-in: 4b05caeb user: drh tags: trunk
20:13
Fix an assert() in the OP_Delete opcode that could fail with a corrupt database. check-in: 915388ab user: dan tags: trunk
Changes
Hide Diffs Side-by-Side Diffs Ignore Whitespace Patch

Changes to src/btree.c.

  5520   5520             **
  5521   5521             ** If the record is corrupt, the xRecordCompare routine may read
  5522   5522             ** up to two varints past the end of the buffer. An extra 18 
  5523   5523             ** bytes of padding is allocated at the end of the buffer in
  5524   5524             ** case this happens.  */
  5525   5525             void *pCellKey;
  5526   5526             u8 * const pCellBody = pCell - pPage->childPtrSize;
         5527  +          const int nOverrun = 18;  /* Size of the overrun padding */
  5527   5528             pPage->xParseCell(pPage, pCellBody, &pCur->info);
  5528   5529             nCell = (int)pCur->info.nKey;
  5529   5530             testcase( nCell<0 );   /* True if key size is 2^32 or more */
  5530   5531             testcase( nCell==0 );  /* Invalid key size:  0x80 0x80 0x00 */
  5531   5532             testcase( nCell==1 );  /* Invalid key size:  0x80 0x80 0x01 */
  5532   5533             testcase( nCell==2 );  /* Minimum legal index key size */
  5533   5534             if( nCell<2 || nCell/pCur->pBt->usableSize>pCur->pBt->nPage ){
  5534   5535               rc = SQLITE_CORRUPT_PAGE(pPage);
  5535   5536               goto moveto_finish;
  5536   5537             }
  5537         -          pCellKey = sqlite3Malloc( nCell+18 );
         5538  +          pCellKey = sqlite3Malloc( nCell+nOverrun );
  5538   5539             if( pCellKey==0 ){
  5539   5540               rc = SQLITE_NOMEM_BKPT;
  5540   5541               goto moveto_finish;
  5541   5542             }
  5542   5543             pCur->ix = (u16)idx;
  5543   5544             rc = accessPayload(pCur, 0, nCell, (unsigned char*)pCellKey, 0);
         5545  +          memset(((u8*)pCellKey)+nCell,0,nOverrun); /* Fix uninit warnings */
  5544   5546             pCur->curFlags &= ~BTCF_ValidOvfl;
  5545   5547             if( rc ){
  5546   5548               sqlite3_free(pCellKey);
  5547   5549               goto moveto_finish;
  5548   5550             }
  5549   5551             c = sqlite3VdbeRecordCompare(nCell, pCellKey, pIdxKey);
  5550   5552             sqlite3_free(pCellKey);