Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
| Comment: | Avoid a buffer overread when comparing against a corrupt record that spans at least one overflow page. |
|---|---|
| Downloads: | Tarball | ZIP archive |
| Timelines: | family | ancestors | descendants | both | trunk |
| Files: | files | file ages | folders |
| SHA1: |
62a5b3633a086694ef0e579a0a82322c |
| User & Date: | dan 2015-05-26 20:31:20.007 |
Context
|
2015-05-27
| ||
| 15:10 | Disallow the use of "rowid" in CTEs - it has never worked correctly and it makes no sense, so we might as well make it an explicit error. Also: add the PRAGMA cell_size_check=ON command. (check-in: 19e2cebc12 user: drh tags: trunk) | |
| 14:21 | A different approach to preventing buffer overreads when comparing a vector of values with a corrupt index record that spans at least one overflow page. (Closed-Leaf check-in: 7e9e1b6123 user: dan tags: avoid-buffer-overread) | |
| 13:06 | CTEs have never had working rowids. So disallow the use of the "rowid" column within CTEs. (Closed-Leaf check-in: 0055df0445 user: drh tags: no-rowid-in-cte) | |
| 03:46 | Add the "PRAGMA cell_size_check=ON" command. (Closed-Leaf check-in: 2ead43f074 user: drh tags: cell-size-check-pragma) | |
|
2015-05-26
| ||
| 20:31 | Avoid a buffer overread when comparing against a corrupt record that spans at least one overflow page. (check-in: 62a5b3633a user: dan tags: trunk) | |
| 20:07 | Avoid branching on an uninitalized variable when comparing SQL values with the undefined serial types 10 and 11 (which only appear in corrupt databases). (check-in: b4a45d3b78 user: dan tags: trunk) | |
Changes
Changes to src/btree.c.
| ︙ | ︙ | |||
4947 4948 4949 4950 4951 4952 4953 |
** fits entirely on the main b-tree page. */
testcase( pCell+nCell+2==pPage->aDataEnd );
c = xRecordCompare(nCell, (void*)&pCell[2], pIdxKey);
}else{
/* The record flows over onto one or more overflow pages. In
** this case the whole cell needs to be parsed, a buffer allocated
** and accessPayload() used to retrieve the record into the
| | > > > | > | 4947 4948 4949 4950 4951 4952 4953 4954 4955 4956 4957 4958 4959 4960 4961 4962 4963 4964 4965 4966 4967 4968 4969 4970 4971 4972 4973 4974 4975 4976 |
** fits entirely on the main b-tree page. */
testcase( pCell+nCell+2==pPage->aDataEnd );
c = xRecordCompare(nCell, (void*)&pCell[2], pIdxKey);
}else{
/* The record flows over onto one or more overflow pages. In
** this case the whole cell needs to be parsed, a buffer allocated
** and accessPayload() used to retrieve the record into the
** buffer before VdbeRecordCompare() can be called. An extra
** byte of zeroed padding is allocated at the end of the buffer,
** as this stops the record-compare routines from reading past
** the end of the buffer if the record is corrupt. */
void *pCellKey;
u8 * const pCellBody = pCell - pPage->childPtrSize;
btreeParseCellPtr(pPage, pCellBody, &pCur->info);
nCell = (int)pCur->info.nKey;
pCellKey = sqlite3Malloc( nCell+1 );
if( pCellKey==0 ){
rc = SQLITE_NOMEM;
goto moveto_finish;
}
pCur->aiIdx[pCur->iPage] = (u16)idx;
rc = accessPayload(pCur, 0, nCell, (unsigned char*)pCellKey, 2);
((unsigned char *)pCellKey)[nCell] = 0;
if( rc ){
sqlite3_free(pCellKey);
goto moveto_finish;
}
c = xRecordCompare(nCell, pCellKey, pIdxKey);
sqlite3_free(pCellKey);
}
|
| ︙ | ︙ |
Changes to src/vdbeaux.c.
| ︙ | ︙ | |||
3647 3648 3649 3650 3651 3652 3653 |
do{
u32 serial_type;
/* RHS is an integer */
if( pRhs->flags & MEM_Int ){
serial_type = aKey1[idx1];
testcase( serial_type==12 );
| | | 3647 3648 3649 3650 3651 3652 3653 3654 3655 3656 3657 3658 3659 3660 3661 |
do{
u32 serial_type;
/* RHS is an integer */
if( pRhs->flags & MEM_Int ){
serial_type = aKey1[idx1];
testcase( serial_type==12 );
if( serial_type>=10 ){
rc = +1;
}else if( serial_type==0 ){
rc = -1;
}else if( serial_type==7 ){
double rhs = (double)pRhs->u.i;
sqlite3VdbeSerialGet(&aKey1[d1], serial_type, &mem1);
if( mem1.u.r<rhs ){
|
| ︙ | ︙ |