/ Check-in [4cc5694c]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Ensure that the cell overwrite optimization does not overwrite the header of the b-tree page.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA3-256: 4cc5694cbd69749c146679c367860952fdf3f5356426ddfd1dce470569702bc1
User & Date: drh 2019-08-15 13:17:49
Context
2019-08-15
13:46
Avoid downgrading SQLITE_CORRUPT errors detected by the schema parser into SQLITE_NOMEM or SQLITE_ERROR errors. check-in: b2e79f8f user: drh tags: trunk
13:17
Ensure that the cell overwrite optimization does not overwrite the header of the b-tree page. check-in: 4cc5694c user: drh tags: trunk
00:04
Early detection out-of-bounds page numbers on the direct-overflow-read optimization gives consistent error messages regardless of whether or not the optimization is enabled. check-in: b517a52f user: drh tags: trunk
Changes
Hide Diffs Side-by-Side Diffs Ignore Whitespace Patch

Changes to src/btree.c.

  7671   7671       ** This must be done in advance.  Once the balance starts, the cell
  7672   7672       ** offset section of the btree page will be overwritten and we will no
  7673   7673       ** long be able to find the cells if a pointer to each cell is not saved
  7674   7674       ** first.
  7675   7675       */
  7676   7676       memset(&b.szCell[b.nCell], 0, sizeof(b.szCell[0])*(limit+pOld->nOverflow));
  7677   7677       if( pOld->nOverflow>0 ){
  7678         -      if( limit<pOld->aiOvfl[0] ){
         7678  +      if( NEVER(limit<pOld->aiOvfl[0]) ){
  7679   7679           rc = SQLITE_CORRUPT_BKPT;
  7680   7680           goto balance_cleanup;
  7681   7681         }
  7682   7682         limit = pOld->aiOvfl[0];
  7683   7683         for(j=0; j<limit; j++){
  7684   7684           b.apCell[b.nCell] = aData + (maskPage & get2byteAligned(piCell));
  7685   7685           piCell += 2;
................................................................................
  8472   8472     int nTotal = pX->nData + pX->nZero; /* Total bytes of to write */
  8473   8473     int rc;                             /* Return code */
  8474   8474     MemPage *pPage = pCur->pPage;       /* Page being written */
  8475   8475     BtShared *pBt;                      /* Btree */
  8476   8476     Pgno ovflPgno;                      /* Next overflow page to write */
  8477   8477     u32 ovflPageSize;                   /* Size to write on overflow page */
  8478   8478   
  8479         -  if( pCur->info.pPayload + pCur->info.nLocal > pPage->aDataEnd ){
         8479  +  if( pCur->info.pPayload + pCur->info.nLocal > pPage->aDataEnd
         8480  +   || pCur->info.pPayload < pPage->aData + pPage->cellOffset
         8481  +  ){
  8480   8482       return SQLITE_CORRUPT_BKPT;
  8481   8483     }
  8482   8484     /* Overwrite the local portion first */
  8483   8485     rc = btreeOverwriteContent(pPage, pCur->info.pPayload, pX,
  8484   8486                                0, pCur->info.nLocal);
  8485   8487     if( rc ) return rc;
  8486   8488     if( pCur->info.nLocal==nTotal ) return SQLITE_OK;

Changes to test/fuzzdata8.db.

cannot compute difference between binary files