Index: src/btree.c ================================================================== --- src/btree.c +++ src/btree.c @@ -7424,10 +7424,15 @@ return SQLITE_CORRUPT_BKPT; } rc = getAndInitPage(pBt, pgno, &pPage, 0); if( rc ) return rc; + if( pPage->bBusy ){ + rc = SQLITE_CORRUPT_BKPT; + goto cleardatabasepage_out; + } + pPage->bBusy = 1; hdr = pPage->hdrOffset; for(i=0; inCell; i++){ pCell = findCell(pPage, i); if( !pPage->leaf ){ rc = clearDatabasePage(pBt, get4byte(pCell), 1, pnChange); @@ -7448,10 +7453,11 @@ }else if( (rc = sqlite3PagerWrite(pPage->pDbPage))==0 ){ zeroPage(pPage, pPage->aData[hdr] | PTF_LEAF); } cleardatabasepage_out: + pPage->bBusy = 0; releasePage(pPage); return rc; } /* Index: src/btreeInt.h ================================================================== --- src/btreeInt.h +++ src/btreeInt.h @@ -277,10 +277,11 @@ u8 leaf; /* True if leaf flag is set */ u8 hasData; /* True if this page stores data */ u8 hdrOffset; /* 100 for page 1. 0 otherwise */ u8 childPtrSize; /* 0 if leaf==1. 4 if leaf==0 */ u8 max1bytePayload; /* min(maxLocal,127) */ + u8 bBusy; /* Prevent endless loop in clearDatabasePage() */ u16 maxLocal; /* Copy of BtShared.maxLocal or BtShared.maxLeaf */ u16 minLocal; /* Copy of BtShared.minLocal or BtShared.minLeaf */ u16 cellOffset; /* Index in aData of first cell pointer */ u16 nFree; /* Number of free bytes on the page */ u16 nCell; /* Number of cells on this page, local and ovfl */ ADDED test/corruptJ.test Index: test/corruptJ.test ================================================================== --- /dev/null +++ test/corruptJ.test @@ -0,0 +1,80 @@ +# 2015-03-30 +# +# The author disclaims copyright to this source code. In place of +# a legal notice, here is a blessing: +# +# May you do good and not evil. +# May you find forgiveness for yourself and forgive others. +# May you share freely, never taking more than you give. +# +#*********************************************************************** +# +# Corruption consisting of a database page that thinks it is a child +# of itself. +# + +set testdir [file dirname $argv0] +source $testdir/tester.tcl +set testprefix corruptJ + +if {[permutation]=="mmap"} { + finish_test + return +} + +# Do not use a codec for tests in this file, as the database file is +# manipulated directly using tcl scripts (using the [hexio_write] command). +# +do_not_use_codec +database_may_be_corrupt + +# Initialize the database. +# +do_execsql_test 1.1 { + PRAGMA page_size=1024; + PRAGMA auto_vacuum=0; + CREATE TABLE t1(a,b); + WITH RECURSIVE c(i) AS (VALUES(1) UNION ALL SELECT i+1 FROM c WHERE i<10) + INSERT INTO t1(a,b) SELECT i, zeroblob(700) FROM c; +} {} +db close + +# Corrupt the root page of the t1 table such that the left-child pointer +# for the very first cell points back to the root. Then try to DROP the +# table. The clearDatabasePage() routine should not loop. +# +do_test 1.2 { + hexio_write test.db [expr {2*1024-2}] 02 + sqlite3 db test.db + catchsql { DROP TABLE t1 } +} {1 {database disk image is malformed}} + +# Similar test using a WITHOUT ROWID table +# +do_test 2.1 { + db close + forcedelete test.db + sqlite3 db test.db + db eval { + PRAGMA page_size=1024; + PRAGMA auto_vacuum=0; + CREATE TABLE t1(a,b,PRIMARY KEY(a,b)) WITHOUT ROWID; + WITH RECURSIVE c(i) AS (VALUES(1) UNION ALL SELECT i+1 FROM c WHERE i<100) + INSERT INTO t1(a,b) SELECT i, zeroblob(200) FROM c; + } +} {} + +# The table is three levels deep. Corrupt the left child of an intermediate +# page so that it points back to the root page. +# +do_test 2.2 { + db close + hexio_read test.db [expr {9*1024+391}] 8 +} {0000000B814D0401} +do_test 2.2b { + hexio_write test.db [expr {9*1024+391}] 00000002 + sqlite3 db test.db + catchsql { PRAGMA secure_delete=ON; DROP TABLE t1; } +} {1 {database disk image is malformed}} + +finish_test