SQLite

Check-in [db2935473e]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Fix a potential buffer overread that could have occurred when searching a corrupt database file.
Downloads: Tarball | ZIP archive
Timelines: family | ancestors | descendants | both | branch-3.8.4
Files: files | file ages | folders
SHA1: db2935473eab91cde3c01353ae29e112ab0c7acb
User & Date: drh 2014-03-26 16:22:38.603
Context
2014-03-26
16:25
Increase the version number to 3.8.4.2. (check-in: 59978a2e42 user: drh tags: branch-3.8.4)
16:22
Fix a potential buffer overread that could have occurred when searching a corrupt database file. (check-in: db2935473e user: drh tags: branch-3.8.4)
15:14
Add an extra test case for the potential buffer overread patched by [28ddecff04]. (check-in: f585f5d7a0 user: dan tags: trunk)
15:05
Add a test case to verify that the previous change avoids excess buffer overread in sqlite3VdbeRecordCompare(). (check-in: 2b28e8d582 user: drh tags: trunk)
14:51
Earlier detection of corruption in sqlite3VdbeRecordCompare() in order to avoid a potential buffer overread. (check-in: 28ddecff04 user: drh tags: trunk)
2014-03-11
15:27
Version 3.8.4.1 (check-in: 018d317b12 user: drh tags: trunk, release, version-3.8.4.1)
Changes
Unified Diff Ignore Whitespace Patch
Changes to src/vdbeaux.c.
3428
3429
3430
3431
3432
3433
3434

3435
3436
3437
3438
3439
3440
3441
    szHdr1 = aKey1[0];
    d1 = szHdr1 + sqlite3VdbeSerialTypeLen(s1);
    i = 1;
    pRhs++;
  }else{
    idx1 = getVarint32(aKey1, szHdr1);
    d1 = szHdr1;

    i = 0;
  }

  VVA_ONLY( mem1.zMalloc = 0; ) /* Only needed by assert() statements */
  assert( pPKey2->pKeyInfo->nField+pPKey2->pKeyInfo->nXField>=pPKey2->nField 
       || CORRUPT_DB );
  assert( pPKey2->pKeyInfo->aSortOrder!=0 );







>







3428
3429
3430
3431
3432
3433
3434
3435
3436
3437
3438
3439
3440
3441
3442
    szHdr1 = aKey1[0];
    d1 = szHdr1 + sqlite3VdbeSerialTypeLen(s1);
    i = 1;
    pRhs++;
  }else{
    idx1 = getVarint32(aKey1, szHdr1);
    d1 = szHdr1;
    if( d1>(unsigned)nKey1 ) return 1;  /* Corruption */
    i = 0;
  }

  VVA_ONLY( mem1.zMalloc = 0; ) /* Only needed by assert() statements */
  assert( pPKey2->pKeyInfo->nField+pPKey2->pKeyInfo->nXField>=pPKey2->nField 
       || CORRUPT_DB );
  assert( pPKey2->pKeyInfo->aSortOrder!=0 );
Changes to test/corruptI.test.
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42



43








44





45








46




47
48
49
50
51
52
# Initialize the database.
#
do_execsql_test 1.1 {
  PRAGMA page_size=1024;
  PRAGMA auto_vacuum=0;
  CREATE TABLE t1(a);
  CREATE INDEX i1 ON t1(a);
  INSERT INTO t1 VALUES('a');
} {}
db close

do_test 1.2 {
  set offset [hexio_get_int [hexio_read test.db [expr 2*1024 + 8] 2]]
  set off [expr 2*1024 + $offset + 1]
  hexio_write test.db $off FF06












  breakpoint














  sqlite3 db test.db




  catchsql { SELECT * FROM t1 WHERE a = 10 }
} {1 {database disk image is malformed}}


finish_test








|






|
>
>
>

>
>
>
>
>
>
>
>
|
>
>
>
>
>
|
>
>
>
>
>
>
>
>

>
>
>
>
|




<
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79

# Initialize the database.
#
do_execsql_test 1.1 {
  PRAGMA page_size=1024;
  PRAGMA auto_vacuum=0;
  CREATE TABLE t1(a);
  CREATE INDEX i1 ON t1(a);
  INSERT INTO t1 VALUES('abcdefghijklmnop');
} {}
db close

do_test 1.2 {
  set offset [hexio_get_int [hexio_read test.db [expr 2*1024 + 8] 2]]
  set off [expr 2*1024 + $offset + 1]
  hexio_write test.db $off 7f06
  sqlite3 db test.db
  catchsql { SELECT * FROM t1 WHERE a = 10 }
} {0 {}}

do_test 1.3 {
  db close
  set offset [hexio_get_int [hexio_read test.db [expr 2*1024 + 8] 2]]
  set off [expr 2*1024 + $offset + 1]
  hexio_write test.db $off FFFF7f02
  sqlite3 db test.db
  catchsql { SELECT * FROM t1 WHERE a = 10 }
} {0 {}}

do_test 2.0 {
  execsql {
    CREATE TABLE r(x);
    INSERT INTO r VALUES('ABCDEFGHIJK');
    CREATE INDEX r1 ON r(x);
  }
  set pg [db one {SELECT rootpage FROM sqlite_master WHERE name = 'r1'}]
} {5}

do_test 2.1 {
  db close
  set offset [hexio_get_int [hexio_read test.db [expr (5-1)*1024 + 8] 2]]
  set off [expr (5-1)*1024 + $offset + 1]
  hexio_write test.db $off FFFF0004
  sqlite3 db test.db
  catchsql { SELECT * FROM r WHERE x >= 10.0 }
} {1 {database disk image is malformed}}

do_test 2.2 {
  catchsql { SELECT * FROM r WHERE x >= 10 }
} {1 {database disk image is malformed}}


finish_test