Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
Comment: | Fix another crash in the sessions module triggered by malformed input. |
---|---|
Downloads: | Tarball | ZIP archive |
Timelines: | family | ancestors | descendants | both | trunk |
Files: | files | file ages | folders |
SHA3-256: |
7e70c9b86af557e86152748ddf1da467 |
User & Date: | dan 2018-03-05 21:17:20.992 |
Context
2018-03-05
| ||
23:23 | Fix walIteratorInit() so that it always leaves the iterator as a NULL pointer if an OOM occurs. This fixes an assertion fault introduced by check-in [044b0b65e716bff]. (check-in: e5ce256aa1 user: drh tags: trunk) | |
21:19 | Merge the session fix from trunk. (check-in: 6274cf1f39 user: drh tags: memdb) | |
21:17 | Fix another crash in the sessions module triggered by malformed input. (check-in: 7e70c9b86a user: dan tags: trunk) | |
20:21 | Improved command-line help for the -A option on the CLI. (check-in: d937ac181c user: drh tags: trunk) | |
Changes
Changes to ext/session/session4.test.
︙ | ︙ | |||
125 126 127 128 129 130 131 132 133 134 135 136 137 138 | 49 540101743400120004001200010000000000000002120002400C0000000000005004010000FC733100170001000000000000000501000000000000000301000000F6FF17000100007C6F7572 50 54010174FFDDFF8003001200010000100000000002120002400C000000000000500401000000743100170000000005010000000000000000000003010072 51 540101743200120003001200010000000000000002120002400C00000000000050040100001074310017000000000003010000120300170100000000000000050100000000000000030100000003001700010000666F7572 52 540101745401017434001200010000000000001702120002400C00000000000050040100001A74310017000100000000000100000100000000000000030100000003001700010000666F7572 53 540101743400120003001200010000000000000002120002400C000000000000500401000000743100170001000002400C00000000000050040110000074310017000000000000050100000000000000030100000003001700010000666F7572 54 540101743400120003001200010000000000000002120002400C000000000002120002400C00000000000050040100000074310017FF0050040100000074310017FF7F00000000000000050100000000000000030100000003001700010000666F7572 55 540101743400120003001200010000000000000002120002400C00000000000050040100000074310017000100010080000001000000020003010100000300170100000003001700010000666F7572 } { do_test 2.$tn { set changeset [binary decode hex $blob] #set fd [open x.change w+] #fconfigure $fd -encoding binary -translation binary #puts -nonewline $fd $changeset #close $fd | > | 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 | 49 540101743400120004001200010000000000000002120002400C0000000000005004010000FC733100170001000000000000000501000000000000000301000000F6FF17000100007C6F7572 50 54010174FFDDFF8003001200010000100000000002120002400C000000000000500401000000743100170000000005010000000000000000000003010072 51 540101743200120003001200010000000000000002120002400C00000000000050040100001074310017000000000003010000120300170100000000000000050100000000000000030100000003001700010000666F7572 52 540101745401017434001200010000000000001702120002400C00000000000050040100001A74310017000100000000000100000100000000000000030100000003001700010000666F7572 53 540101743400120003001200010000000000000002120002400C000000000000500401000000743100170001000002400C00000000000050040110000074310017000000000000050100000000000000030100000003001700010000666F7572 54 540101743400120003001200010000000000000002120002400C000000000002120002400C00000000000050040100000074310017FF0050040100000074310017FF7F00000000000000050100000000000000030100000003001700010000666F7572 55 540101743400120003001200010000000000000002120002400C00000000000050040100000074310017000100010080000001000000020003010100000300170100000003001700010000666F7572 56 5487ffffff7f } { do_test 2.$tn { set changeset [binary decode hex $blob] #set fd [open x.change w+] #fconfigure $fd -encoding binary -translation binary #puts -nonewline $fd $changeset #close $fd |
︙ | ︙ |
Changes to ext/session/sqlite3session.c.
︙ | ︙ | |||
2782 2783 2784 2785 2786 2787 2788 | int rc = SQLITE_OK; int nCol = 0; int nRead = 0; rc = sessionInputBuffer(pIn, 9); if( rc==SQLITE_OK ){ nRead += sessionVarintGet(&pIn->aData[pIn->iNext + nRead], &nCol); | > > > > > > > | | 2782 2783 2784 2785 2786 2787 2788 2789 2790 2791 2792 2793 2794 2795 2796 2797 2798 2799 2800 2801 2802 2803 | int rc = SQLITE_OK; int nCol = 0; int nRead = 0; rc = sessionInputBuffer(pIn, 9); if( rc==SQLITE_OK ){ nRead += sessionVarintGet(&pIn->aData[pIn->iNext + nRead], &nCol); /* The hard upper limit for the number of columns in an SQLite ** database table is, according to sqliteLimit.h, 32676. So ** consider any table-header that purports to have more than 65536 ** columns to be corrupt. This is convenient because otherwise, ** if the (nCol>65536) condition below were omitted, a sufficiently ** large value for nCol may cause nRead to wrap around and become ** negative. Leading to a crash. */ if( nCol<0 || nCol>65536 ){ rc = SQLITE_CORRUPT_BKPT; }else{ rc = sessionInputBuffer(pIn, nRead+nCol+100); nRead += nCol; } } |
︙ | ︙ |