/ Check-in [4d0cfb12]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Avoid a potential buffer overread in fts3 when processing corrupt records.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA3-256: 4d0cfb1236884349168f8e2ec5e18c0232965148af78615e0d5c9b0e13a35422
User & Date: dan 2020-06-30 15:32:12
Context
2020-06-30
18:21
Add a test to ensure that "PRAGMA wal_checkpoint = FULL" invokes the busy-handler to wait on read-locks. (check-in: f068fb11 user: dan tags: trunk)
15:32
Avoid a potential buffer overread in fts3 when processing corrupt records. (check-in: 4d0cfb12 user: dan tags: trunk)
2020-06-29
20:26
Fix generated columns so that they play well with upsert. See the forum post by "iffycan" for details. (check-in: fa9d93cf user: drh tags: trunk)
Changes
Hide Diffs Unified Diffs Ignore Whitespace Patch

Changes to ext/fts3/fts3_write.c.

2851
2852
2853
2854
2855
2856
2857













2858
2859
2860
2861
2862
2863
2864
....
2985
2986
2987
2988
2989
2990
2991
2992
2993
2994
2995
2996
2997
2998
2999
3000


3001
3002
3003
3004
3005
3006
3007
....
3018
3019
3020
3021
3022
3023
3024



3025
3026
3027
3028
3029
3030
3031
    pCsr->apSegment[i]->nOffsetList = 0;
    pCsr->apSegment[i]->iDocid = 0;
  }

  return SQLITE_OK;
}















int sqlite3Fts3SegReaderStep(
  Fts3Table *p,                   /* Virtual table handle */
  Fts3MultiSegReader *pCsr        /* Cursor object */
){
  int rc = SQLITE_OK;

................................................................................
            iDelta = (i64)((u64)iPrev - (u64)iDocid);
          }else{
            if( nDoclist>0 && iPrev>=iDocid ) return FTS_CORRUPT_VTAB;
            iDelta = (i64)((u64)iDocid - (u64)iPrev);
          }

          nByte = sqlite3Fts3VarintLen(iDelta) + (isRequirePos?nList+1:0);
          if( nDoclist+nByte>pCsr->nBuffer ){
            char *aNew;
            pCsr->nBuffer = (nDoclist+nByte)*2;
            aNew = sqlite3_realloc(pCsr->aBuffer, pCsr->nBuffer);
            if( !aNew ){
              return SQLITE_NOMEM;
            }
            pCsr->aBuffer = aNew;
          }



          if( isFirst ){
            char *a = &pCsr->aBuffer[nDoclist];
            int nWrite;
           
            nWrite = sqlite3Fts3FirstFilter(iDelta, pList, nList, a);
            if( nWrite ){
................................................................................
            }
          }
        }

        fts3SegReaderSort(apSegment, nMerge, j, xCmp);
      }
      if( nDoclist>0 ){



        pCsr->aDoclist = pCsr->aBuffer;
        pCsr->nDoclist = nDoclist;
        rc = SQLITE_ROW;
      }
    }
    pCsr->nAdvance = nMerge;
  }while( rc==SQLITE_OK );







>
>
>
>
>
>
>
>
>
>
>
>
>







 







<
<
<
<
<
<
|
<
<
>
>







 







>
>
>







2851
2852
2853
2854
2855
2856
2857
2858
2859
2860
2861
2862
2863
2864
2865
2866
2867
2868
2869
2870
2871
2872
2873
2874
2875
2876
2877
....
2998
2999
3000
3001
3002
3003
3004






3005


3006
3007
3008
3009
3010
3011
3012
3013
3014
....
3025
3026
3027
3028
3029
3030
3031
3032
3033
3034
3035
3036
3037
3038
3039
3040
3041
    pCsr->apSegment[i]->nOffsetList = 0;
    pCsr->apSegment[i]->iDocid = 0;
  }

  return SQLITE_OK;
}

static int fts3GrowSegReaderBuffer(Fts3MultiSegReader *pCsr, int nReq){
  if( nReq>pCsr->nBuffer ){
    char *aNew;
    pCsr->nBuffer = nReq*2;
    aNew = sqlite3_realloc(pCsr->aBuffer, pCsr->nBuffer);
    if( !aNew ){
      return SQLITE_NOMEM;
    }
    pCsr->aBuffer = aNew;
  }
  return SQLITE_OK;
}


int sqlite3Fts3SegReaderStep(
  Fts3Table *p,                   /* Virtual table handle */
  Fts3MultiSegReader *pCsr        /* Cursor object */
){
  int rc = SQLITE_OK;

................................................................................
            iDelta = (i64)((u64)iPrev - (u64)iDocid);
          }else{
            if( nDoclist>0 && iPrev>=iDocid ) return FTS_CORRUPT_VTAB;
            iDelta = (i64)((u64)iDocid - (u64)iPrev);
          }

          nByte = sqlite3Fts3VarintLen(iDelta) + (isRequirePos?nList+1:0);









          rc = fts3GrowSegReaderBuffer(pCsr, nByte+nDoclist);
          if( rc ) return rc;

          if( isFirst ){
            char *a = &pCsr->aBuffer[nDoclist];
            int nWrite;
           
            nWrite = sqlite3Fts3FirstFilter(iDelta, pList, nList, a);
            if( nWrite ){
................................................................................
            }
          }
        }

        fts3SegReaderSort(apSegment, nMerge, j, xCmp);
      }
      if( nDoclist>0 ){
        rc = fts3GrowSegReaderBuffer(pCsr, nDoclist+FTS3_NODE_PADDING);
        if( rc ) return rc;
        memset(&pCsr->aBuffer[nDoclist], 0, FTS3_NODE_PADDING);
        pCsr->aDoclist = pCsr->aBuffer;
        pCsr->nDoclist = nDoclist;
        rc = SQLITE_ROW;
      }
    }
    pCsr->nAdvance = nMerge;
  }while( rc==SQLITE_OK );

Changes to test/fts3corrupt4.test.

6145
6146
6147
6148
6149
6150
6151
6152













6153
} {}

do_execsql_test 43.2 {
  SELECT rowid FROM def WHERE def MATCH '1 NEAR 1'
} {1}

set sqlite_fts3_enable_parentheses $saved














finish_test








>
>
>
>
>
>
>
>
>
>
>
>
>

6145
6146
6147
6148
6149
6150
6151
6152
6153
6154
6155
6156
6157
6158
6159
6160
6161
6162
6163
6164
6165
6166
} {}

do_execsql_test 43.2 {
  SELECT rowid FROM def WHERE def MATCH '1 NEAR 1'
} {1}

set sqlite_fts3_enable_parentheses $saved

#-------------------------------------------------------------------------
reset_db
do_execsql_test 44.1 {
  CREATE VIRTUAL TABLE t0 USING fts3(col0 INTEGER PRIMARY KEY,col1 VARCHAR(8),col2 BINARY,col3 BINARY);
  INSERT INTO t0_content VALUES(0,NULL,NULL,NULL,NULL);
  INSERT INTO t0_segdir VALUES(0,0,0,0,'0 42',X'00013103010200010332333405010201ba00000461616161050101020200000462626262050101030200');
}

do_execsql_test 44.2 {
  SELECT matchinfo(t0, t0) IS NULL FROM t0 WHERE t0 MATCH '1*'
} {0}


finish_test