SQLite

Check-in [cb50509020]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Avoid reading off the front of a page buffer when balancing a corrupt btree page.
Downloads: Tarball | ZIP archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA3-256: cb50509020d952fa9efed8df7fa08b07b71ae9bdbdefea216b6e660863291039
User & Date: drh 2019-01-14 05:48:10.140
Context
2019-01-14
11:56
Have fts3 ignore empty sets of parenthesis if built with SQLITE_ENABLE_FTS3_PARENTHESIS. (check-in: c93c6b45a3 user: dan tags: trunk)
05:48
Avoid reading off the front of a page buffer when balancing a corrupt btree page. (check-in: cb50509020 user: drh tags: trunk)
2019-01-13
20:23
In dbfuzz2, avoid using a malloc in the LLVMFuzzerInitialize() initializer routine, so that no memory leaks are reported. Also, show the version of SQLite being used when the -v option is on. (check-in: 824f932469 user: drh tags: trunk)
Changes
Side-by-Side Diff Ignore Whitespace Patch
Changes to src/btree.c. 
6659
6660
6661
6662
6663
6664
6665
6666
6667






6668


6669
6670
6671
6672
6673
6674
6675

6659
6660
6661
6662
6663
6664
6665

6666
6667
6668
6669
6670
6671
6672
6673
6674
6675
6676
6677
6678
6679
6680
6681
6682








-

+
+
+
+
+
+

+
+








    if( rc ){ *pRC = rc; return; }
    /* The allocateSpace() routine guarantees the following properties
    ** if it returns successfully */
    assert( idx >= 0 );
    assert( idx >= pPage->cellOffset+2*pPage->nCell+2 || CORRUPT_DB );
    assert( idx+sz <= (int)pPage->pBt->usableSize );
    pPage->nFree -= (u16)(2 + sz);
    memcpy(&data[idx], pCell, sz);
    if( iChild ){
      /* In a corrupt database where an entry in the cell index section of
      ** a btree page has a value of 3 or less, the pCell value might point
      ** as many as 4 bytes in front of the start of the aData buffer for
      ** the source page.  Make sure this does not cause problems by not
      ** reading the first 4 bytes */
      memcpy(&data[idx+4], pCell+4, sz-4);
      put4byte(&data[idx], iChild);
    }else{
      memcpy(&data[idx], pCell, sz);
    }
    pIns = pPage->aCellIdx + i*2;
    memmove(pIns+2, pIns, 2*(pPage->nCell - i));
    put2byte(pIns, idx);
    pPage->nCell++;
    /* increment the cell count */
    if( (++data[pPage->hdrOffset+4])==0 ) data[pPage->hdrOffset+3]++;