SQLite

Check-in [f336fba7d7]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Fix a buffer overread in debugging routine sqlite3VdbeMemPrettyPrint(). Problem discovered by OSS-Fuzz.
Downloads: Tarball | ZIP archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA3-256: f336fba7d7d41b91a5000d01dddf785821fa79ea31dbd8d1f769d55f7e871896
User & Date: dan 2017-03-17 13:59:06.018
Context
2017-03-17
14:15
Fix the Makefile.in so that it builds the ossshell test program correctly. (check-in: 36f5602ec9 user: drh tags: trunk)
13:59
Fix a buffer overread in debugging routine sqlite3VdbeMemPrettyPrint(). Problem discovered by OSS-Fuzz. (check-in: f336fba7d7 user: dan tags: trunk)
03:21
Fix a problem in the enhanced PRAGMA integrity_check where it verifies CHECK constraints: Do not be confused by the reuse of the Table.pCheck field by VIEWs with named columns. Problem discovered by OSS-Fuzz. (check-in: 019dd3d5ba user: drh tags: trunk)
Changes
Unified Diff Ignore Whitespace Patch
Changes to src/vdbe.c. 
2653
2654
2655
2656
2657
2658
2659
2660





2661
2662
2663
2664
2665
2666
2667
2668

     || (len = sqlite3VdbeSerialTypeLen(t))==0
    ){
      /* Content is irrelevant for
      **    1. the typeof() function,
      **    2. the length(X) function if X is a blob, and
      **    3. if the content length is zero.
      ** So we might as well use bogus content rather than reading
      ** content from disk. */





      static u8 aZero[8];  /* This is the bogus content */
      sqlite3VdbeSerialGet(aZero, t, pDest);
    }else{
      rc = sqlite3VdbeMemFromBtree(pC->uc.pCursor, aOffset[p2], len, pDest);
      if( rc!=SQLITE_OK ) goto abort_due_to_error;
      sqlite3VdbeSerialGet((const u8*)pDest->z, t, pDest);
      pDest->flags &= ~MEM_Ephem;
    }








|
>
>
>
>
>
|








2653
2654
2655
2656
2657
2658
2659
2660
2661
2662
2663
2664
2665
2666
2667
2668
2669
2670
2671
2672
2673

     || (len = sqlite3VdbeSerialTypeLen(t))==0
    ){
      /* Content is irrelevant for
      **    1. the typeof() function,
      **    2. the length(X) function if X is a blob, and
      **    3. if the content length is zero.
      ** So we might as well use bogus content rather than reading
      ** content from disk. 
      **
      ** Although sqlite3VdbeSerialGet() may read at most 8 bytes from the
      ** buffer passed to it, debugging function VdbeMemPrettyPrint() may
      ** read up to 16. So 16 bytes of bogus content is supplied.
      */
      static u8 aZero[16];  /* This is the bogus content */
      sqlite3VdbeSerialGet(aZero, t, pDest);
    }else{
      rc = sqlite3VdbeMemFromBtree(pC->uc.pCursor, aOffset[p2], len, pDest);
      if( rc!=SQLITE_OK ) goto abort_due_to_error;
      sqlite3VdbeSerialGet((const u8*)pDest->z, t, pDest);
      pDest->flags &= ~MEM_Ephem;
    }