/ Check-in [daef5869]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Fix a problem in fts5 where a corrupt db could lead to a (huge) buffer overread. Cherrypick of [c9a30e117f].
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | branch-3.11-matchinfo
Files: files | file ages | folders
SHA1: daef5869f4d62ebb24eb03b79fe4be0812fa0496
User & Date: dan 2016-03-01 14:51:36
Context
2016-03-01
15:09
Merge branch-3.11-matchinfo into this branch. check-in: 42358170 user: dan tags: branch-3.11
14:51
Fix a problem in fts5 where a corrupt db could lead to a (huge) buffer overread. Cherrypick of [c9a30e117f]. Closed-Leaf check-in: daef5869 user: dan tags: branch-3.11-matchinfo
14:50
Fix an fts5 problem causing 'optimize' to corrupt the fts index under some circumstances. Cherrypick of [251d6473f7]. check-in: 5b1b7ab5 user: dan tags: branch-3.11-matchinfo
2016-02-29
17:34
Fix a problem in fts5 where a corrupt db could lead to a (huge) buffer overread. check-in: c9a30e11 user: dan tags: trunk
Changes
Hide Diffs Unified Diffs Ignore Whitespace Patch

Changes to ext/fts5/fts5_index.c.

693
694
695
696
697
698
699

700
701
702
703
704
705
706
....
2150
2151
2152
2153
2154
2155
2156




2157
2158
2159
2160
2161
2162
2163
    p->rc = rc;
    p->nRead++;
  }

  assert( (pRet==0)==(p->rc!=SQLITE_OK) );
  return pRet;
}


/*
** Release a reference to data record returned by an earlier call to
** fts5DataRead().
*/
static void fts5DataRelease(Fts5Data *pData){
  sqlite3_free(pData);
................................................................................
  int bEndOfPage = 0;

  assert( p->rc==SQLITE_OK );

  iPgidx = szLeaf;
  iPgidx += fts5GetVarint32(&a[iPgidx], iTermOff);
  iOff = iTermOff;





  while( 1 ){

    /* Figure out how many new bytes are in this term */
    fts5FastGetVarint32(a, iOff, nNew);
    if( nKeep<nMatch ){
      goto search_failed;







>







 







>
>
>
>







693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
....
2151
2152
2153
2154
2155
2156
2157
2158
2159
2160
2161
2162
2163
2164
2165
2166
2167
2168
    p->rc = rc;
    p->nRead++;
  }

  assert( (pRet==0)==(p->rc!=SQLITE_OK) );
  return pRet;
}


/*
** Release a reference to data record returned by an earlier call to
** fts5DataRead().
*/
static void fts5DataRelease(Fts5Data *pData){
  sqlite3_free(pData);
................................................................................
  int bEndOfPage = 0;

  assert( p->rc==SQLITE_OK );

  iPgidx = szLeaf;
  iPgidx += fts5GetVarint32(&a[iPgidx], iTermOff);
  iOff = iTermOff;
  if( iOff>n ){
    p->rc = FTS5_CORRUPT;
    return;
  }

  while( 1 ){

    /* Figure out how many new bytes are in this term */
    fts5FastGetVarint32(a, iOff, nNew);
    if( nKeep<nMatch ){
      goto search_failed;