/ Check-in [292cf68b]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Merge increment blob I/O fixes from trunk.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | apple-osx
Files: files | file ages | folders
SHA1: 292cf68b4c934c3a666d938d3857f6bd8a484044
User & Date: drh 2015-02-07 15:30:08
Context
2015-02-13
12:13
Merge all recent trunk fixes and enhancements into the apple-osx branch. check-in: b2449d67 user: drh tags: apple-osx
2015-02-07
15:30
Merge increment blob I/O fixes from trunk. check-in: 292cf68b user: drh tags: apple-osx
15:16
Fix potential 32-bit integer overflow problems on the offset and length parameters to sqlite3_blob_read() and sqlite3_blob_write(). For sqlite3_blob_open(), make sure the *ppBlob return parameter is zeroed if the interface fails with SQLITE_MISUSE. check-in: 5df02f50 user: drh tags: trunk
2015-02-06
16:03
Merge all recent trunk enhancements into the apple-osx branch. check-in: 44711921 user: drh tags: apple-osx
Changes
Hide Diffs Side-by-Side Diffs Ignore Whitespace Patch

Changes to src/vdbeblob.c.

   150    150     int rc = SQLITE_OK;
   151    151     char *zErr = 0;
   152    152     Table *pTab;
   153    153     Parse *pParse = 0;
   154    154     Incrblob *pBlob = 0;
   155    155   
   156    156   #ifdef SQLITE_ENABLE_API_ARMOR
   157         -  if( !sqlite3SafetyCheckOk(db) || ppBlob==0 || zTable==0 ){
          157  +  if( ppBlob==0 ){
          158  +    return SQLITE_MISUSE_BKPT;
          159  +  }
          160  +#endif
          161  +  *ppBlob = 0;
          162  +#ifdef SQLITE_ENABLE_API_ARMOR
          163  +  if( !sqlite3SafetyCheckOk(db) || zTable==0 ){
   158    164       return SQLITE_MISUSE_BKPT;
   159    165     }
   160    166   #endif
   161    167     flags = !!flags;                /* flags = (flags ? 1 : 0); */
   162         -  *ppBlob = 0;
   163    168   
   164    169     sqlite3_mutex_enter(db->mutex);
   165    170   
   166    171     pBlob = (Incrblob *)sqlite3DbMallocZero(db, sizeof(Incrblob));
   167    172     if( !pBlob ) goto blob_open_out;
   168    173     pParse = sqlite3StackAllocRaw(db, sizeof(*pParse));
   169    174     if( !pParse ) goto blob_open_out;
................................................................................
   369    374     sqlite3 *db;
   370    375   
   371    376     if( p==0 ) return SQLITE_MISUSE_BKPT;
   372    377     db = p->db;
   373    378     sqlite3_mutex_enter(db->mutex);
   374    379     v = (Vdbe*)p->pStmt;
   375    380   
   376         -  if( n<0 || iOffset<0 || (iOffset+n)>p->nByte ){
          381  +  if( n<0 || iOffset<0 || ((sqlite3_int64)iOffset+n)>p->nByte ){
   377    382       /* Request is out of range. Return a transient error. */
   378    383       rc = SQLITE_ERROR;
   379    384     }else if( v==0 ){
   380    385       /* If there is no statement handle, then the blob-handle has
   381    386       ** already been invalidated. Return SQLITE_ABORT in this case.
   382    387       */
   383    388       rc = SQLITE_ABORT;

Changes to test/incrblob2.test.

   319    319     close $rdHandle
   320    320   } {}
   321    321   
   322    322   do_test incrblob2-6.2 {
   323    323     set rdHandle [db incrblob -readonly t1 data 1]
   324    324     sqlite3_blob_read $rdHandle 0 2
   325    325   } {AB}
          326  +
          327  +do_test incrblob2-6.2b {
          328  +  set rc [catch {
          329  +    # Prior to 2015-02-07, the following caused a segfault due to
          330  +    # integer overflow.
          331  +    sqlite3_blob_read $rdHandle 2147483647 2147483647
          332  +  } errmsg]
          333  +  lappend rc $errmsg
          334  +} {1 SQLITE_ERROR}
   326    335   
   327    336   do_test incrblob2-6.3 {
   328    337     set wrHandle [db incrblob t1 data 1]
   329    338     sqlite3_blob_write $wrHandle 0 ZZZZZZZZZZ
   330    339     sqlite3_blob_read $rdHandle 2 4
   331    340   } {ZZZZ}
          341  +
          342  +do_test incrblob2-6.3b {
          343  +  set rc [catch {
          344  +    # Prior to 2015-02-07, the following caused a segfault due to
          345  +    # integer overflow.
          346  +    sqlite3_blob_write $wrHandle 2147483647 YYYYYYYYYYYYYYYYYY
          347  +  } errmsg]
          348  +  lappend rc $errmsg
          349  +} {1 SQLITE_ERROR}
          350  +do_test incrblob2-6.3c {
          351  +  sqlite3_blob_read $rdHandle 2 4
          352  +} {ZZZZ}
          353  +
   332    354   
   333    355   do_test incrblob2-6.4 {
   334    356     close $wrHandle
   335    357     close $rdHandle
   336    358   } {}
   337    359   
   338    360   sqlite3_memory_highwater 1