Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
Comment: | Add extra defenses against strategically corrupt databases to fts3/4. |
---|---|
Downloads: | Tarball | ZIP archive |
Timelines: | family | ancestors | descendants | both | branch-3.19 |
Files: | files | file ages | folders |
SHA3-256: |
4f315e4a3d15b9196924db10dee9c144 |
User & Date: | drh 2018-12-19 01:44:50.669 |
Context
2018-12-19
| ||
14:44 | Fix a crash that can follow an OOM in fts3 on this branch. (check-in: de07814857 user: dan tags: branch-3.19) | |
01:44 | Add extra defenses against strategically corrupt databases to fts3/4. (check-in: 4f315e4a3d user: drh tags: branch-3.19) | |
2018-11-03
| ||
16:51 | Add extra defenses against strategically corrupt databases to fts3/4. (check-in: d44318f590 user: dan tags: trunk) | |
2018-03-16
| ||
07:49 | Fix a problem in test script thread001.test causing a spurious "-1 files were left open" error when run separately. Cherrypick of [1774f1c3b]. (check-in: 6cf8172d94 user: dan tags: branch-3.19) | |
Changes
Changes to ext/fts3/fts3.c.
︙ | |||
1808 1809 1810 1811 1812 1813 1814 | 1808 1809 1810 1811 1812 1813 1814 1815 1816 1817 1818 1819 1820 1821 1822 | - + | sqlite3_int64 *piFirst, /* OUT: Selected child node */ sqlite3_int64 *piLast /* OUT: Selected child node */ ){ int rc = SQLITE_OK; /* Return code */ const char *zCsr = zNode; /* Cursor to iterate through node */ const char *zEnd = &zCsr[nNode];/* End of interior node buffer */ char *zBuffer = 0; /* Buffer to load terms into */ |
︙ | |||
1846 1847 1848 1849 1850 1851 1852 | 1846 1847 1848 1849 1850 1851 1852 1853 1854 1855 1856 1857 1858 1859 1860 1861 1862 1863 1864 1865 1866 1867 | - + - + - - + + | if( !isFirstTerm ){ zCsr += fts3GetVarint32(zCsr, &nPrefix); } isFirstTerm = 0; zCsr += fts3GetVarint32(zCsr, &nSuffix); assert( nPrefix>=0 && nSuffix>=0 ); |
︙ |
Changes to ext/fts3/fts3_write.c.
︙ | |||
1369 1370 1371 1372 1373 1374 1375 | 1369 1370 1371 1372 1373 1374 1375 1376 1377 1378 1379 1380 1381 1382 1383 1384 1385 1386 1387 1388 1389 1390 1391 1392 1393 1394 1395 | - - + + + + + + - - - + + + | rc = fts3SegReaderRequire(pReader, pNext, FTS3_VARINT_MAX*2); if( rc!=SQLITE_OK ) return rc; /* Because of the FTS3_NODE_PADDING bytes of padding, the following is ** safe (no risk of overread) even if the node data is corrupted. */ pNext += fts3GetVarint32(pNext, &nPrefix); pNext += fts3GetVarint32(pNext, &nSuffix); |
︙ | |||
1399 1400 1401 1402 1403 1404 1405 | 1403 1404 1405 1406 1407 1408 1409 1410 1411 1412 1413 1414 1415 1416 1417 | - + | pReader->aDoclist = pNext; pReader->pOffsetList = 0; /* Check that the doclist does not appear to extend past the end of the ** b-tree node. And that the final byte of the doclist is 0x00. If either ** of these statements is untrue, then the data structure is corrupt. */ |
︙ | |||
3722 3723 3724 3725 3726 3727 3728 3729 3730 3731 3732 3733 3734 3735 3736 3737 3738 3739 3740 3741 3742 | 3726 3727 3728 3729 3730 3731 3732 3733 3734 3735 3736 3737 3738 3739 3740 3741 3742 3743 3744 3745 3746 3747 3748 3749 3750 3751 3752 3753 3754 3755 3756 3757 3758 3759 | + + + + + + - | p->aNode = 0; }else{ if( bFirst==0 ){ p->iOff += fts3GetVarint32(&p->aNode[p->iOff], &nPrefix); } p->iOff += fts3GetVarint32(&p->aNode[p->iOff], &nSuffix); if( nPrefix>p->iOff || nSuffix>p->nNode-p->iOff ){ return SQLITE_CORRUPT_VTAB; } blobGrowBuffer(&p->term, nPrefix+nSuffix, &rc); if( rc==SQLITE_OK ){ memcpy(&p->term.a[nPrefix], &p->aNode[p->iOff], nSuffix); p->term.n = nPrefix+nSuffix; p->iOff += nSuffix; if( p->iChild==0 ){ p->iOff += fts3GetVarint32(&p->aNode[p->iOff], &p->nDoclist); if( (p->nNode-p->iOff)<p->nDoclist ){ return SQLITE_CORRUPT_VTAB; } p->aDoclist = &p->aNode[p->iOff]; p->iOff += p->nDoclist; } } } assert( p->iOff<=p->nNode ); |
︙ |
Added test/fts3corrupt4.test.