/ Check-in [666cf8f6]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Fix the fts3DecodeIntArray() function so that it will not read off the end of the buffer it is handed. Any unread integers are set to zero.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA3-256: 666cf8f6b39ae1f72e82b45e9cacba23caf61370ca0c695b3b14452accbb1a0d
User & Date: drh 2019-01-10 01:12:43
Context
2019-01-10
13:56
Use the new SQLITE_IDXTYPE_IPK values (3) on Index.idxType to indicate the fake INTEGER PRIMARY KEY index used during query planning. check-in: e22d2f90 user: drh tags: trunk
01:12
Fix the fts3DecodeIntArray() function so that it will not read off the end of the buffer it is handed. Any unread integers are set to zero. check-in: 666cf8f6 user: drh tags: trunk
2019-01-09
21:12
Fix an out-of-bounds read in SQL function fts5_decode() that could occur if it was passed a corrupt record. check-in: 931278b2 user: dan tags: trunk
Changes
Hide Diffs Unified Diffs Ignore Whitespace Patch

Changes to ext/fts3/fts3_write.c.

3323
3324
3325
3326
3327
3328
3329
3330
3331

3332
3333
3334
3335
3336
3337


3338
3339
3340
3341
3342
3343
3344
*/
static void fts3DecodeIntArray(
  int N,             /* The number of integers to decode */
  u32 *a,            /* Write the integer values */
  const char *zBuf,  /* The BLOB containing the varints */
  int nBuf           /* size of the BLOB */
){
  int i, j;
  UNUSED_PARAMETER(nBuf);

  for(i=j=0; i<N; i++){
    sqlite3_int64 x;
    j += sqlite3Fts3GetVarint(&zBuf[j], &x);
    assert(j<=nBuf);
    a[i] = (u32)(x & 0xffffffff);
  }


}

/*
** Insert the sizes (in tokens) for each column of the document
** with docid equal to p->iPrevDocid.  The sizes are encoded as
** a blob of varints.
*/







|
|
>
|
|
|
<
|
|
>
>







3323
3324
3325
3326
3327
3328
3329
3330
3331
3332
3333
3334
3335

3336
3337
3338
3339
3340
3341
3342
3343
3344
3345
3346
*/
static void fts3DecodeIntArray(
  int N,             /* The number of integers to decode */
  u32 *a,            /* Write the integer values */
  const char *zBuf,  /* The BLOB containing the varints */
  int nBuf           /* size of the BLOB */
){
  int i = 0;
  if( nBuf && (zBuf[nBuf-1]&0x80)==0 ){
    int j;
    for(i=j=0; i<N && j<nBuf; i++){
      sqlite3_int64 x;
      j += sqlite3Fts3GetVarint(&zBuf[j], &x);

      a[i] = (u32)(x & 0xffffffff);
    }
  }
  while( i<N ) a[i++] = 0;
}

/*
** Insert the sizes (in tokens) for each column of the document
** with docid equal to p->iPrevDocid.  The sizes are encoded as
** a blob of varints.
*/