/ Check-in [db293547]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Fix a potential buffer overread that could have occurred when searching a corrupt database file.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | branch-3.8.4
Files: files | file ages | folders
SHA1: db2935473eab91cde3c01353ae29e112ab0c7acb
User & Date: drh 2014-03-26 16:22:38
Context
2014-03-26
16:25
Increase the version number to 3.8.4.2. check-in: 59978a2e user: drh tags: branch-3.8.4
16:22
Fix a potential buffer overread that could have occurred when searching a corrupt database file. check-in: db293547 user: drh tags: branch-3.8.4
15:14
Add an extra test case for the potential buffer overread patched by [28ddecff04]. check-in: f585f5d7 user: dan tags: trunk
15:05
Add a test case to verify that the previous change avoids excess buffer overread in sqlite3VdbeRecordCompare(). check-in: 2b28e8d5 user: drh tags: trunk
14:51
Earlier detection of corruption in sqlite3VdbeRecordCompare() in order to avoid a potential buffer overread. check-in: 28ddecff user: drh tags: trunk
2014-03-11
15:27
Version 3.8.4.1 check-in: 018d317b user: drh tags: trunk, release, version-3.8.4.1
Changes
Hide Diffs Side-by-Side Diffs Ignore Whitespace Patch

Changes to src/vdbeaux.c.

  3428   3428       szHdr1 = aKey1[0];
  3429   3429       d1 = szHdr1 + sqlite3VdbeSerialTypeLen(s1);
  3430   3430       i = 1;
  3431   3431       pRhs++;
  3432   3432     }else{
  3433   3433       idx1 = getVarint32(aKey1, szHdr1);
  3434   3434       d1 = szHdr1;
         3435  +    if( d1>(unsigned)nKey1 ) return 1;  /* Corruption */
  3435   3436       i = 0;
  3436   3437     }
  3437   3438   
  3438   3439     VVA_ONLY( mem1.zMalloc = 0; ) /* Only needed by assert() statements */
  3439   3440     assert( pPKey2->pKeyInfo->nField+pPKey2->pKeyInfo->nXField>=pPKey2->nField 
  3440   3441          || CORRUPT_DB );
  3441   3442     assert( pPKey2->pKeyInfo->aSortOrder!=0 );

Changes to test/corruptI.test.

    28     28   # Initialize the database.
    29     29   #
    30     30   do_execsql_test 1.1 {
    31     31     PRAGMA page_size=1024;
    32     32     PRAGMA auto_vacuum=0;
    33     33     CREATE TABLE t1(a);
    34     34     CREATE INDEX i1 ON t1(a);
    35         -  INSERT INTO t1 VALUES('a');
           35  +  INSERT INTO t1 VALUES('abcdefghijklmnop');
    36     36   } {}
    37     37   db close
    38     38   
    39     39   do_test 1.2 {
    40     40     set offset [hexio_get_int [hexio_read test.db [expr 2*1024 + 8] 2]]
    41     41     set off [expr 2*1024 + $offset + 1]
    42         -  hexio_write test.db $off FF06
    43         -
    44         -  breakpoint
           42  +  hexio_write test.db $off 7f06
           43  +  sqlite3 db test.db
           44  +  catchsql { SELECT * FROM t1 WHERE a = 10 }
           45  +} {0 {}}
    45     46   
           47  +do_test 1.3 {
           48  +  db close
           49  +  set offset [hexio_get_int [hexio_read test.db [expr 2*1024 + 8] 2]]
           50  +  set off [expr 2*1024 + $offset + 1]
           51  +  hexio_write test.db $off FFFF7f02
    46     52     sqlite3 db test.db
    47     53     catchsql { SELECT * FROM t1 WHERE a = 10 }
           54  +} {0 {}}
           55  +
           56  +do_test 2.0 {
           57  +  execsql {
           58  +    CREATE TABLE r(x);
           59  +    INSERT INTO r VALUES('ABCDEFGHIJK');
           60  +    CREATE INDEX r1 ON r(x);
           61  +  }
           62  +  set pg [db one {SELECT rootpage FROM sqlite_master WHERE name = 'r1'}]
           63  +} {5}
           64  +
           65  +do_test 2.1 {
           66  +  db close
           67  +  set offset [hexio_get_int [hexio_read test.db [expr (5-1)*1024 + 8] 2]]
           68  +  set off [expr (5-1)*1024 + $offset + 1]
           69  +  hexio_write test.db $off FFFF0004
           70  +  sqlite3 db test.db
           71  +  catchsql { SELECT * FROM r WHERE x >= 10.0 }
           72  +} {1 {database disk image is malformed}}
           73  +
           74  +do_test 2.2 {
           75  +  catchsql { SELECT * FROM r WHERE x >= 10 }
    48     76   } {1 {database disk image is malformed}}
    49     77   
    50     78   
    51     79   finish_test
    52         -