/ Check-in [df04859a]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Do not assume that text parameters passed to fts4aux queries do not contain embedded nul characters.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA3-256:df04859a995571cd6faf1abe088725708f35e81195760274df9e2ec9bd47f69f
User & Date: dan 2019-01-28 13:27:25
Context
2019-01-28
16:50
Fix a buffer overread in fts3 that could occur when accessing a corrupt database. check-in: a9faf903 user: dan tags: trunk
13:27
Do not assume that text parameters passed to fts4aux queries do not contain embedded nul characters. check-in: df04859a user: dan tags: trunk
11:54
Add a new test case to fuzzdata8.db. check-in: ce8e279a user: drh tags: trunk
Changes
Hide Diffs Unified Diffs Show Whitespace Changes Patch

Changes to ext/fts3/fts3_aux.c.

412
413
414
415
416
417
418
419
420

421
422
423
424
425
426
427

428
429
430
431
432
433
434
  if( isScan ) pCsr->filter.flags |= FTS3_SEGMENT_SCAN;

  if( iEq>=0 || iGe>=0 ){
    const unsigned char *zStr = sqlite3_value_text(apVal[0]);
    assert( (iEq==0 && iGe==-1) || (iEq==-1 && iGe==0) );
    if( zStr ){
      pCsr->filter.zTerm = sqlite3_mprintf("%s", zStr);
      pCsr->filter.nTerm = sqlite3_value_bytes(apVal[0]);
      if( pCsr->filter.zTerm==0 ) return SQLITE_NOMEM;

    }
  }

  if( iLe>=0 ){
    pCsr->zStop = sqlite3_mprintf("%s", sqlite3_value_text(apVal[iLe]));
    pCsr->nStop = sqlite3_value_bytes(apVal[iLe]);
    if( pCsr->zStop==0 ) return SQLITE_NOMEM;

  }
  
  if( iLangid>=0 ){
    iLangVal = sqlite3_value_int(apVal[iLangid]);

    /* If the user specified a negative value for the languageid, use zero
    ** instead. This works, as the "languageid=?" constraint will also







<

>





<

>







412
413
414
415
416
417
418

419
420
421
422
423
424
425

426
427
428
429
430
431
432
433
434
  if( isScan ) pCsr->filter.flags |= FTS3_SEGMENT_SCAN;

  if( iEq>=0 || iGe>=0 ){
    const unsigned char *zStr = sqlite3_value_text(apVal[0]);
    assert( (iEq==0 && iGe==-1) || (iEq==-1 && iGe==0) );
    if( zStr ){
      pCsr->filter.zTerm = sqlite3_mprintf("%s", zStr);

      if( pCsr->filter.zTerm==0 ) return SQLITE_NOMEM;
      pCsr->filter.nTerm = strlen(pCsr->filter.zTerm);
    }
  }

  if( iLe>=0 ){
    pCsr->zStop = sqlite3_mprintf("%s", sqlite3_value_text(apVal[iLe]));

    if( pCsr->zStop==0 ) return SQLITE_NOMEM;
    pCsr->nStop = strlen(pCsr->zStop);
  }
  
  if( iLangid>=0 ){
    iLangVal = sqlite3_value_int(apVal[iLangid]);

    /* If the user specified a negative value for the languageid, use zero
    ** instead. This works, as the "languageid=?" constraint will also

Changes to test/fts3aux2.test.

136
137
138
139
140
141
142
143
























144
do_execsql_test 1.4.6 {
  SELECT term, col, documents, occurrences, languageid 
  FROM terms WHERE term>='e' AND term<'seven' AND languageid=2
} {
  eight * 1 1 2    eight 1 1 1 2 
  five * 1 1 2     five 0 1 1 2 
}

























finish_test








>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>

136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
do_execsql_test 1.4.6 {
  SELECT term, col, documents, occurrences, languageid 
  FROM terms WHERE term>='e' AND term<'seven' AND languageid=2
} {
  eight * 1 1 2    eight 1 1 1 2 
  five * 1 1 2     five 0 1 1 2 
}

#-------------------------------------------------------------------------
do_execsql_test 2.0 {
  CREATE VIRTUAL TABLE ft USING fts3();
  INSERT INTO ft VALUES('a_234567890123456789');
  INSERT INTO ft VALUES('b_234567890123456789');
  INSERT INTO ft VALUES('c_234567890123456789');
  CREATE VIRTUAL TABLE t2 USING fts4aux(ft);
}

do_execsql_test 2.1 {
  SELECT term FROM t2 WHERE term=X'625f323334353637383930313233343536373839';
}

do_execsql_test 2.2 {
  SELECT term FROM t2 WHERE term<X'625f003334353637383930313233343536373839';
} {
  234567890123456789 234567890123456789 a a b b
}

do_execsql_test 2.3 {
  SELECT term FROM t2 WHERE term=X'625f003334353637383930313233343536373839';
}


finish_test