/ Check-in [d0d56893]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Fix a buffer overread in fts3 that could occur in a prefix query on a corrupted database.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA3-256: d0d5689371577b2861d4a9464443d055f3256f3f51d89e0388233a4cbe2601ee
User & Date: dan 2019-01-24 17:41:12
Context
2019-01-25
13:42
Fix a couple of assert() statments in btree.c that could fail with corrupt databases. check-in: 5eb5e828 user: dan tags: trunk
04:00
Add the ability to process dbsqlfuzz cases in fuzzcheck and add an initial set of interesting dbsqlfuzz cases. check-in: fb9074ff user: drh tags: dbsqlfuzz-in-fuzzcheck
2019-01-24
17:41
Fix a buffer overread in fts3 that could occur in a prefix query on a corrupted database. check-in: d0d56893 user: dan tags: trunk
16:27
Fix a problem with running ALTER TABLE on a schema that contains expressions of the type "col IN ()" (empty set on RHS of IN operator). check-in: 2d9cd067 user: dan tags: trunk
Changes
Hide Diffs Side-by-Side Diffs Ignore Whitespace Patch

Changes to ext/fts3/fts3.c.

  2544   2544     ** The space required to store the output is therefore the sum of the
  2545   2545     ** sizes of the two inputs, plus enough space for exactly one of the input
  2546   2546     ** docids to grow. 
  2547   2547     **
  2548   2548     ** A symetric argument may be made if the doclists are in descending 
  2549   2549     ** order.
  2550   2550     */
  2551         -  aOut = sqlite3_malloc64((sqlite3_int64)n1+n2+FTS3_VARINT_MAX-1);
         2551  +  aOut = sqlite3_malloc64((i64)n1+n2+FTS3_VARINT_MAX-1+FTS3_BUFFER_PADDING);
  2552   2552     if( !aOut ) return SQLITE_NOMEM;
  2553   2553   
  2554   2554     p = aOut;
  2555   2555     fts3GetDeltaVarint3(&p1, pEnd1, 0, &i1);
  2556   2556     fts3GetDeltaVarint3(&p2, pEnd2, 0, &i2);
  2557   2557     while( p1 || p2 ){
  2558   2558       sqlite3_int64 iDiff = DOCID_CMP(i1, i2);
................................................................................
  2573   2573         fts3GetDeltaVarint3(&p2, pEnd2, bDescDoclist, &i2);
  2574   2574       }
  2575   2575     }
  2576   2576   
  2577   2577     if( rc!=SQLITE_OK ){
  2578   2578       sqlite3_free(aOut);
  2579   2579       p = aOut = 0;
         2580  +  }else{
         2581  +    assert( (p-aOut)<=n1+n2+FTS3_VARINT_MAX-1 );
         2582  +    memset(&aOut[(p-aOut)], 0, FTS3_BUFFER_PADDING);
  2580   2583     }
  2581   2584     *paOut = aOut;
  2582   2585     *pnOut = (int)(p-aOut);
  2583         -  assert( *pnOut<=n1+n2+FTS3_VARINT_MAX-1 );
  2584   2586     return rc;
  2585   2587   }
  2586   2588   
  2587   2589   /*
  2588   2590   ** This function does a "phrase" merge of two doclists. In a phrase merge,
  2589   2591   ** the output contains a copy of each position from the right-hand input
  2590   2592   ** doclist for which there is a position in the left-hand input doclist

Changes to test/fts3corrupt4.test.

  2146   2146     WITH RECURSIVE c(x) AS (VALUES(1) UNION ALL SELECT x+1 FROM c WHERE x<10)
  2147   2147       INSERT INTO t1(a) SELECT randomblob(3000) FROM c;
  2148   2148   }
  2149   2149   
  2150   2150   do_catchsql_test 14.2 {
  2151   2151     INSERT INTO t1(t1) VALUES('optimize');
  2152   2152   } {1 {database disk image is malformed}}
         2153  +
         2154  +#-------------------------------------------------------------------------
         2155  +reset_db
         2156  +do_execsql_test 15.0 {
         2157  +  CREATE VIRTUAL TABLE t1 USING fts3(a, content="");
         2158  +  INSERT INTO t1_segdir VALUES(0,0,0,0,'0 665',X'000261640303040002086970697363696e670301080001056c6971756103020c00050269700304040001036d65740301060001036e6a6d03080900010375746503050300000663696c6c756d0306020001066f6d6d6f646f0304070002096e736563746574757203010700050471756174030408000104756c7061030804000207706964617461740307050000086465736572756e740308070001016f0302030002036c6f720601040004050005016506020a00040300010375697303050200000265610304060001066975736d6f640302040001036c69740301090001036e696d13030300010373736503050b0002017403080b0001017403020900010175030604000101780304050002076365707465757203070100020a65726369746174696f6e030309000006667567696174030605000002696403080a0001016e070506040003030002086369646964756e740302060001047073756d030103000104727572650305040000066c61626f7265030208000502697303030b000502756d03080c0001046f72656d0301020000056d61676e6103020b000104696e696d0303050001056f6c6c69740308080000046e6973690304020001026f6e0307060002057374727564030308000104756c6c610306060000086f636361656361740307040001066666696369610308060000087061726961747572030607000107726f6964656e740307070000037175690308050003017303030700000d726570726568656e6465726974030507000003736564030202000103696e7403070300020174030105000103756e7403080200000674656d706f72030205000007756c6c616d636f03030a0001017409020700010200010300000576656c697403050a0002046e69616d0303060001086f6c75707461746503050900');
         2159  +}
         2160  +
         2161  +do_execsql_test 15.1 {
         2162  +  SELECT quote(matchinfo(t1, t1 ))==0 FROM t1 WHERE t1 MATCH 'e*';
         2163  +} {0 0 0 0 0 0}
  2153   2164   
  2154   2165   finish_test
  2155   2166