/ Check-in [8ba3d9f3]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Back out the expansion of the temporary buffer size from [32754ca6f86da816] and replace it with an explicit test for buffer overreads.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA3-256: 8ba3d9f38090c4bbbcffba1930e5c26f69ff61f49b72a4a5a59253d37341380f
User & Date: drh 2018-12-14 16:20:54
Context
2018-12-14
17:57
Fix possible integer overflow while running PRAGMA integrity_check on a database file with a badly corrupted freelist. check-in: 39559911 user: drh tags: trunk
16:20
Back out the expansion of the temporary buffer size from [32754ca6f86da816] and replace it with an explicit test for buffer overreads. check-in: 8ba3d9f3 user: drh tags: trunk
16:00
Avoid a buffer overread in ptrmapPutOvflPtr() that can occurs in a corrupt database file that has large entries and uses autovacuum. check-in: f8b781cf user: drh tags: trunk
Changes
Hide Diffs Side-by-Side Diffs Ignore Whitespace Patch

Changes to src/btree.c.

  6758   6758     i = get2byte(&aData[hdr+5]);
  6759   6759     memcpy(&pTmp[i], &aData[i], usableSize - i);
  6760   6760   
  6761   6761     pData = pEnd;
  6762   6762     for(i=0; i<nCell; i++){
  6763   6763       u8 *pCell = apCell[i];
  6764   6764       if( SQLITE_WITHIN(pCell,aData,pEnd) ){
         6765  +      if( ((uptr)(pCell+szCell[i]))>(uptr)pEnd ) return SQLITE_CORRUPT_BKPT;
  6765   6766         pCell = &pTmp[pCell - aData];
  6766   6767       }
  6767   6768       pData -= szCell[i];
  6768   6769       put2byte(pCellptr, (pData - aData));
  6769   6770       pCellptr += 2;
  6770   6771       if( pData < pCellptr ) return SQLITE_CORRUPT_BKPT;
  6771   6772       memcpy(pData, pCell, szCell[i]);

Changes to src/pcache1.c.

   476    476   ** using sqlite3_config(SQLITE_CONFIG_PAGECACHE) option. If no such buffer
   477    477   ** exists, this function falls back to sqlite3Malloc().
   478    478   */
   479    479   void *sqlite3PageMalloc(int sz){
   480    480     /* During rebalance operations on a corrupt database file, it is sometimes
   481    481     ** (rarely) possible to overread the temporary page buffer by a few bytes.
   482    482     ** Enlarge the allocation slightly so that this does not cause problems. */
   483         -  return pcache1Alloc(sz + 32);
          483  +  return pcache1Alloc(sz);
   484    484   }
   485    485   
   486    486   /*
   487    487   ** Free an allocated buffer obtained from sqlite3PageMalloc().
   488    488   */
   489    489   void sqlite3PageFree(void *p){
   490    490     pcache1Free(p);