Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
| Comment: | Fix another crash in the sessions module triggered by malformed input. |
|---|---|
| Downloads: | Tarball | ZIP archive | SQL archive |
| Timelines: | family | ancestors | descendants | both | trunk |
| Files: | files | file ages | folders |
| SHA3-256: |
7e70c9b86af557e86152748ddf1da467 |
| User & Date: | dan 2018-03-05 21:17:20 |
Context
|
2018-03-05
| ||
| 23:23 | Fix walIteratorInit() so that it always leaves the iterator as a NULL pointer if an OOM occurs. This fixes an assertion fault introduced by check-in [044b0b65e716bff]. check-in: e5ce256a user: drh tags: trunk | |
| 21:19 | Merge the session fix from trunk. check-in: 6274cf1f user: drh tags: memdb | |
| 21:17 | Fix another crash in the sessions module triggered by malformed input. check-in: 7e70c9b8 user: dan tags: trunk | |
| 20:21 | Improved command-line help for the -A option on the CLI. check-in: d937ac18 user: drh tags: trunk | |
Changes
Changes to ext/session/session4.test.
125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 |
49 540101743400120004001200010000000000000002120002400C0000000000005004010000FC733100170001000000000000000501000000000000000301000000F6FF17000100007C6F7572
50 54010174FFDDFF8003001200010000100000000002120002400C000000000000500401000000743100170000000005010000000000000000000003010072
51 540101743200120003001200010000000000000002120002400C00000000000050040100001074310017000000000003010000120300170100000000000000050100000000000000030100000003001700010000666F7572
52 540101745401017434001200010000000000001702120002400C00000000000050040100001A74310017000100000000000100000100000000000000030100000003001700010000666F7572
53 540101743400120003001200010000000000000002120002400C000000000000500401000000743100170001000002400C00000000000050040110000074310017000000000000050100000000000000030100000003001700010000666F7572
54 540101743400120003001200010000000000000002120002400C000000000002120002400C00000000000050040100000074310017FF0050040100000074310017FF7F00000000000000050100000000000000030100000003001700010000666F7572
55 540101743400120003001200010000000000000002120002400C00000000000050040100000074310017000100010080000001000000020003010100000300170100000003001700010000666F7572
} {
do_test 2.$tn {
set changeset [binary decode hex $blob]
#set fd [open x.change w+]
#fconfigure $fd -encoding binary -translation binary
#puts -nonewline $fd $changeset
#close $fd
list [catch { sqlite3changeset_apply db $changeset xConflict } msg] $msg
} {1 SQLITE_CORRUPT}
}
finish_test
|
> |
125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 |
49 540101743400120004001200010000000000000002120002400C0000000000005004010000FC733100170001000000000000000501000000000000000301000000F6FF17000100007C6F7572
50 54010174FFDDFF8003001200010000100000000002120002400C000000000000500401000000743100170000000005010000000000000000000003010072
51 540101743200120003001200010000000000000002120002400C00000000000050040100001074310017000000000003010000120300170100000000000000050100000000000000030100000003001700010000666F7572
52 540101745401017434001200010000000000001702120002400C00000000000050040100001A74310017000100000000000100000100000000000000030100000003001700010000666F7572
53 540101743400120003001200010000000000000002120002400C000000000000500401000000743100170001000002400C00000000000050040110000074310017000000000000050100000000000000030100000003001700010000666F7572
54 540101743400120003001200010000000000000002120002400C000000000002120002400C00000000000050040100000074310017FF0050040100000074310017FF7F00000000000000050100000000000000030100000003001700010000666F7572
55 540101743400120003001200010000000000000002120002400C00000000000050040100000074310017000100010080000001000000020003010100000300170100000003001700010000666F7572
56 5487ffffff7f
} {
do_test 2.$tn {
set changeset [binary decode hex $blob]
#set fd [open x.change w+]
#fconfigure $fd -encoding binary -translation binary
#puts -nonewline $fd $changeset
#close $fd
list [catch { sqlite3changeset_apply db $changeset xConflict } msg] $msg
} {1 SQLITE_CORRUPT}
}
finish_test
|
Changes to ext/session/sqlite3session.c.
2782 2783 2784 2785 2786 2787 2788 2789 2790 2791 2792 2793 2794 2795 2796 |
int rc = SQLITE_OK;
int nCol = 0;
int nRead = 0;
rc = sessionInputBuffer(pIn, 9);
if( rc==SQLITE_OK ){
nRead += sessionVarintGet(&pIn->aData[pIn->iNext + nRead], &nCol);
if( nCol<0 ){
rc = SQLITE_CORRUPT_BKPT;
}else{
rc = sessionInputBuffer(pIn, nRead+nCol+100);
nRead += nCol;
}
}
|
> > > > > > > | |
2782 2783 2784 2785 2786 2787 2788 2789 2790 2791 2792 2793 2794 2795 2796 2797 2798 2799 2800 2801 2802 2803 |
int rc = SQLITE_OK;
int nCol = 0;
int nRead = 0;
rc = sessionInputBuffer(pIn, 9);
if( rc==SQLITE_OK ){
nRead += sessionVarintGet(&pIn->aData[pIn->iNext + nRead], &nCol);
/* The hard upper limit for the number of columns in an SQLite
** database table is, according to sqliteLimit.h, 32676. So
** consider any table-header that purports to have more than 65536
** columns to be corrupt. This is convenient because otherwise,
** if the (nCol>65536) condition below were omitted, a sufficiently
** large value for nCol may cause nRead to wrap around and become
** negative. Leading to a crash. */
if( nCol<0 || nCol>65536 ){
rc = SQLITE_CORRUPT_BKPT;
}else{
rc = sessionInputBuffer(pIn, nRead+nCol+100);
nRead += nCol;
}
}
|