/ Check-in [058a8006]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Ensure that a key comparison does not read a collating sequence past the end of the KeyInfo, even if the key field of an index is corrupted by having a string in the last column instead of the ROWID.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA3-256: 058a8006dceda78a894ea9446f057aa60b6d38e96506d4d91bda0ee2f9314ba3
User & Date: drh 2019-01-22 02:34:35
Context
2019-01-22
12:21
Fix another segfault caused by a corrupt fts3 database. check-in: ba3b8412 user: dan tags: trunk
02:34
Ensure that a key comparison does not read a collating sequence past the end of the KeyInfo, even if the key field of an index is corrupted by having a string in the last column instead of the ROWID. check-in: 058a8006 user: drh tags: trunk
2019-01-21
23:18
Enhance the btree search routine so that it does early detection of impossibly large keys and thereby avoids a large malloc() call. check-in: 3ecaaee6 user: drh tags: trunk
Changes
Hide Diffs Side-by-Side Diffs Ignore Whitespace Patch

Changes to src/vdbeaux.c.

  3898   3898   
  3899   3899       /* Extract the values to be compared.
  3900   3900       */
  3901   3901       d1 += sqlite3VdbeSerialGet(&aKey1[d1], serial_type1, &mem1);
  3902   3902   
  3903   3903       /* Do the comparison
  3904   3904       */
  3905         -    rc = sqlite3MemCompare(&mem1, &pPKey2->aMem[i], pKeyInfo->aColl[i]);
         3905  +    rc = sqlite3MemCompare(&mem1, &pPKey2->aMem[i],
         3906  +                           pKeyInfo->nAllField>i ? pKeyInfo->aColl[i] : 0);
  3906   3907       if( rc!=0 ){
  3907   3908         assert( mem1.szMalloc==0 );  /* See comment below */
  3908   3909         if( pKeyInfo->aSortOrder[i] ){
  3909   3910           rc = -rc;  /* Invert the result for DESC sort order. */
  3910   3911         }
  3911   3912         goto debugCompareEnd;
  3912   3913       }
................................................................................
  4329   4330           rc = -1;
  4330   4331         }else if( !(serial_type & 0x01) ){
  4331   4332           rc = +1;
  4332   4333         }else{
  4333   4334           mem1.n = (serial_type - 12) / 2;
  4334   4335           testcase( (d1+mem1.n)==(unsigned)nKey1 );
  4335   4336           testcase( (d1+mem1.n+1)==(unsigned)nKey1 );
  4336         -        if( (d1+mem1.n) > (unsigned)nKey1 ){
         4337  +        if( (d1+mem1.n) > (unsigned)nKey1
         4338  +         || (pKeyInfo = pPKey2->pKeyInfo)->nAllField<=i
         4339  +        ){
  4337   4340             pPKey2->errCode = (u8)SQLITE_CORRUPT_BKPT;
  4338   4341             return 0;                /* Corruption */
  4339         -        }else if( (pKeyInfo = pPKey2->pKeyInfo)->aColl[i] ){
         4342  +        }else if( pKeyInfo->aColl[i] ){
  4340   4343             mem1.enc = pKeyInfo->enc;
  4341   4344             mem1.db = pKeyInfo->db;
  4342   4345             mem1.flags = MEM_Str;
  4343   4346             mem1.z = (char*)&aKey1[d1];
  4344   4347             rc = vdbeCompareMemString(
  4345   4348                 &mem1, pRhs, pKeyInfo->aColl[i], &pPKey2->errCode
  4346   4349             );