/ Check-in [daef5869]
Login
SQLite training in Houston TX on 2019-11-05 (details)
Part of the 2019 Tcl Conference

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Fix a problem in fts5 where a corrupt db could lead to a (huge) buffer overread. Cherrypick of [c9a30e117f].
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | branch-3.11-matchinfo
Files: files | file ages | folders
SHA1: daef5869f4d62ebb24eb03b79fe4be0812fa0496
User & Date: dan 2016-03-01 14:51:36
Context
2016-03-01
15:09
Merge branch-3.11-matchinfo into this branch. check-in: 42358170 user: dan tags: branch-3.11
14:51
Fix a problem in fts5 where a corrupt db could lead to a (huge) buffer overread. Cherrypick of [c9a30e117f]. Closed-Leaf check-in: daef5869 user: dan tags: branch-3.11-matchinfo
14:50
Fix an fts5 problem causing 'optimize' to corrupt the fts index under some circumstances. Cherrypick of [251d6473f7]. check-in: 5b1b7ab5 user: dan tags: branch-3.11-matchinfo
2016-02-29
17:34
Fix a problem in fts5 where a corrupt db could lead to a (huge) buffer overread. check-in: c9a30e11 user: dan tags: trunk
Changes
Hide Diffs Side-by-Side Diffs Ignore Whitespace Patch

Changes to ext/fts5/fts5_index.c.

   693    693       p->rc = rc;
   694    694       p->nRead++;
   695    695     }
   696    696   
   697    697     assert( (pRet==0)==(p->rc!=SQLITE_OK) );
   698    698     return pRet;
   699    699   }
          700  +
   700    701   
   701    702   /*
   702    703   ** Release a reference to data record returned by an earlier call to
   703    704   ** fts5DataRead().
   704    705   */
   705    706   static void fts5DataRelease(Fts5Data *pData){
   706    707     sqlite3_free(pData);
................................................................................
  2150   2151     int bEndOfPage = 0;
  2151   2152   
  2152   2153     assert( p->rc==SQLITE_OK );
  2153   2154   
  2154   2155     iPgidx = szLeaf;
  2155   2156     iPgidx += fts5GetVarint32(&a[iPgidx], iTermOff);
  2156   2157     iOff = iTermOff;
         2158  +  if( iOff>n ){
         2159  +    p->rc = FTS5_CORRUPT;
         2160  +    return;
         2161  +  }
  2157   2162   
  2158   2163     while( 1 ){
  2159   2164   
  2160   2165       /* Figure out how many new bytes are in this term */
  2161   2166       fts5FastGetVarint32(a, iOff, nNew);
  2162   2167       if( nKeep<nMatch ){
  2163   2168         goto search_failed;