/ Check-in [a385298d]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Fix a buffer overwrite in fts5 triggered by a corrupt database.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA3-256: a385298df264dbfa6765f63ad8708f74bc8e8a1404239c1049890b39a1bda888
User & Date: dan 2018-12-28 13:57:30
Context
2018-12-28
14:33
Avoid an undefined left-shift operation in fts5 caused by malformed utf-8 text. check-in: c3a3a111 user: dan tags: trunk
13:57
Fix a buffer overwrite in fts5 triggered by a corrupt database. check-in: a385298d user: dan tags: trunk
07:37
Fix problems in fts5 found by ASAN. check-in: c564bf87 user: dan tags: trunk
Changes
Hide Diffs Side-by-Side Diffs Ignore Whitespace Patch

Changes to ext/fts5/fts5_index.c.

  3898   3898     Fts5Index *p, 
  3899   3899     Fts5SegWriter *pWriter,
  3900   3900     int nTerm, const u8 *pTerm 
  3901   3901   ){
  3902   3902     int nPrefix;                    /* Bytes of prefix compression for term */
  3903   3903     Fts5PageWriter *pPage = &pWriter->writer;
  3904   3904     Fts5Buffer *pPgidx = &pWriter->writer.pgidx;
         3905  +  int nMin = MIN(pPage->term.n, nTerm);
  3905   3906   
  3906   3907     assert( p->rc==SQLITE_OK );
  3907   3908     assert( pPage->buf.n>=4 );
  3908   3909     assert( pPage->buf.n>4 || pWriter->bFirstTermInPage );
  3909   3910   
  3910   3911     /* If the current leaf page is full, flush it to disk. */
  3911   3912     if( (pPage->buf.n + pPgidx->n + nTerm + 2)>=p->pConfig->pgsz ){
................................................................................
  3939   3940         ** Usually, the previous term is available in pPage->term. The exception
  3940   3941         ** is if this is the first term written in an incremental-merge step.
  3941   3942         ** In this case the previous term is not available, so just write a
  3942   3943         ** copy of (pTerm/nTerm) into the parent node. This is slightly
  3943   3944         ** inefficient, but still correct.  */
  3944   3945         int n = nTerm;
  3945   3946         if( pPage->term.n ){
  3946         -        n = 1 + fts5PrefixCompress(pPage->term.n, pPage->term.p, pTerm);
         3947  +        n = 1 + fts5PrefixCompress(nMin, pPage->term.p, pTerm);
  3947   3948         }
  3948   3949         fts5WriteBtreeTerm(p, pWriter, n, pTerm);
  3949   3950         pPage = &pWriter->writer;
  3950   3951       }
  3951   3952     }else{
  3952         -    nPrefix = fts5PrefixCompress(pPage->term.n, pPage->term.p, pTerm);
         3953  +    nPrefix = fts5PrefixCompress(nMin, pPage->term.p, pTerm);
  3953   3954       fts5BufferAppendVarint(&p->rc, &pPage->buf, nPrefix);
  3954   3955     }
  3955   3956   
  3956   3957     /* Append the number of bytes of new data, then the term data itself
  3957   3958     ** to the page. */
  3958   3959     fts5BufferAppendVarint(&p->rc, &pPage->buf, nTerm - nPrefix);
  3959   3960     fts5BufferAppendBlob(&p->rc, &pPage->buf, nTerm - nPrefix, &pTerm[nPrefix]);

Changes to ext/fts5/test/fts5corrupt3.test.

  1429   1429   |   4048: 00 00 00 00 00 00 09 03 02 1b 72 65 62 75 69 6c   ..........rebuil
  1430   1430   |   4064: 64 11 02 02 2b 69 6e 74 65 67 72 69 74 79 2d 63   d...+integrity-c
  1431   1431   |   4080: 68 65 63 6b 0a 01 02 1d 6f 70 74 69 6d 69 7a 65   heck....optimize
  1432   1432   | end c19b.db
  1433   1433   }]} {}
  1434   1434   
  1435   1435   do_catchsql_test 18.1 {
         1436  +  INSERT INTO t1(t1) VALUES('optimize');
         1437  +} {1 {database disk image is malformed}}
         1438  +
         1439  +#--------------------------------------------------------------------------
         1440  +reset_db
         1441  +do_test 19.0 {
         1442  +  sqlite3 db {}
         1443  +  db deserialize [decode_hexdb {
         1444  +| size 28672 pagesize 4096 filename c20b.db
         1445  +| page 1 offset 0
         1446  +|      0: 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00   SQLite format 3.
         1447  +|     16: 10 00 01 01 00 40 20 20 00 00 00 01 00 00 00 07   .....@  ........
         1448  +|     32: 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00   ................
         1449  +|     48: 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00   ................
         1450  +|     80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01   ................
         1451  +|     96: 00 2e 30 38 0d 00 00 00 07 0d d2 00 0f c4 0f 6d   ..08...........m
         1452  +|    112: 0f 02 0e ab 0e 4e 0d f6 0d d2 00 00 00 00 00 00   .....N..........
         1453  +|   3536: 00 00 22 07 06 17 11 11 01 31 74 61 62 6c 65 74   .........1tablet
         1454  +|   3552: 32 74 32 07 43 52 45 41 54 45 20 54 41 42 4c 45   2t2.CREATE TABLE
         1455  +|   3568: 20 74 32 28 78 29 56 06 06 17 1f 1f 01 7d 74 61    t2(x)V.......ta
         1456  +|   3584: 62 6c 65 74 31 5f 63 6f 6e 66 69 67 74 31 5f 63   blet1_configt1_c
         1457  +|   3600: 6f 6e 66 69 67 06 43 52 45 41 54 45 20 54 41 42   onfig.CREATE TAB
         1458  +|   3616: 4c 45 20 27 74 31 5f 63 6f 6e 66 69 67 27 28 6b   LE 't1_config'(k
         1459  +|   3632: 20 50 52 49 4d 41 52 59 20 4b 45 59 2c 20 76 29    PRIMARY KEY, v)
         1460  +|   3648: 20 57 49 54 48 4f 55 54 20 52 4f 57 49 44 5b 05    WITHOUT ROWID[.
         1461  +|   3664: 07 17 21 21 01 81 01 74 61 62 6c 65 74 31 5f 64   ..!!...tablet1_d
         1462  +|   3680: 6f 63 73 69 7a 65 74 31 5f 64 6f 63 73 69 7a 65   ocsizet1_docsize
         1463  +|   3696: 05 43 52 45 41 54 45 20 54 41 42 4c 45 20 27 74   .CREATE TABLE 't
         1464  +|   3712: 31 5f 64 6f 63 73 69 7a 65 27 28 69 64 20 49 4e   1_docsize'(id IN
         1465  +|   3728: 54 45 47 45 52 20 50 52 49 4d 41 52 59 20 4b 45   TEGER PRIMARY KE
         1466  +|   3744: 59 2c 20 73 7a 20 42 4c 4f 42 29 55 04 06 17 21   Y, sz BLOB)U...!
         1467  +|   3760: 21 01 77 74 61 62 6c 65 74 31 5f 63 6f 6e 74 65   !.wtablet1_conte
         1468  +|   3776: 6e 74 74 31 5f 63 6f 6e 74 65 6e 74 04 43 52 45   ntt1_content.CRE
         1469  +|   3792: 41 54 45 20 54 41 42 4c 45 20 27 74 31 5f 63 6f   ATE TABLE 't1_co
         1470  +|   3808: 6e 74 65 6e 74 27 28 69 64 20 49 4e 54 45 47 45   ntent'(id INTEGE
         1471  +|   3824: 52 20 50 52 49 4d 41 52 59 20 4b 45 59 2c 20 63   R PRIMARY KEY, c
         1472  +|   3840: 30 29 69 03 07 17 19 19 01 81 2d 74 61 62 6c 65   0)i.......-table
         1473  +|   3856: 74 31 5f 69 64 78 74 31 5f 69 64 78 03 43 52 45   t1_idxt1_idx.CRE
         1474  +|   3872: 41 54 45 20 54 41 42 4c 45 20 27 74 31 5f 69 64   ATE TABLE 't1_id
         1475  +|   3888: 78 27 28 73 65 67 69 64 2c 20 74 65 72 6d 2c 20   x'(segid, term, 
         1476  +|   3904: 70 67 6e 6f 2c 20 50 52 49 4d 41 52 59 20 4b 45   pgno, PRIMARY KE
         1477  +|   3920: 59 28 73 65 67 69 64 2c 20 74 65 72 6d 29 29 20   Y(segid, term)) 
         1478  +|   3936: 57 49 54 48 4f 55 54 20 52 4f 57 49 44 55 02 07   WITHOUT ROWIDU..
         1479  +|   3952: 17 1b 1b 01 81 01 74 61 62 6c 65 74 31 5f 64 61   ......tablet1_da
         1480  +|   3968: 74 61 74 31 5f 64 61 74 61 02 43 52 45 41 54 45   tat1_data.CREATE
         1481  +|   3984: 20 54 41 42 4c 45 20 27 74 31 5f 64 61 74 61 27    TABLE 't1_data'
         1482  +|   4000: 28 69 64 20 49 4e 54 45 47 45 52 20 50 52 49 4d   (id INTEGER PRIM
         1483  +|   4016: 41 52 59 20 4b 45 59 2c 20 62 6c 6f 63 6b 20 42   ARY KEY, block B
         1484  +|   4032: 4c 4f 42 29 3a 01 06 17 11 11 08 63 74 61 62 6c   LOB):......ctabl
         1485  +|   4048: 65 74 31 74 31 43 52 45 41 54 45 20 56 49 52 54   et1t1CREATE VIRT
         1486  +|   4064: 55 41 4c 20 54 41 42 4c 45 20 74 31 20 55 53 49   UAL TABLE t1 USI
         1487  +|   4080: 4e 47 20 66 74 73 35 28 63 6f 6e 74 65 6e 74 29   NG fts5(content)
         1488  +| page 2 offset 4096
         1489  +|      0: 0d 0f 20 00 05 0e a0 00 0f e8 0e a0 0f bd 0f 34   .. ............4
         1490  +|     16: 0e b7 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
         1491  +|   3744: 15 0a 03 00 30 00 00 00 00 01 03 03 00 03 01 01   ....0...........
         1492  +|   3760: 01 02 01 01 03 01 01 62 8c 80 80 80 80 01 04 00   .......b........
         1493  +|   3776: 81 48 00 00 00 55 06 30 61 62 61 63 6b 08 01 04   .H...U.0aback...
         1494  +|   3792: 04 6e 64 6f 6e 03 01 05 01 02 05 63 74 69 76 65   .ndon......ctive
         1495  +|   3808: 08 01 02 04 6c 70 68 61 08 01 02 03 74 6f 6d 08   ....lpha....tom.
         1496  +|   3824: 01 01 06 62 61 63 6b 75 70 08 01 02 05 6f 6f 6d   ...backup....oom
         1497  +|   3840: 65 72 08 01 01 07 63 68 61 6e 6e 65 6c 08 01 01   er....channel...
         1498  +|   3856: 04 74 65 73 74 08 01 04 09 0a 09 08 07 0a 09 0b   .test...........
         1499  +|   3872: 0f ef 00 14 2a 00 00 00 00 01 02 02 00 02 01 01   ....*...........
         1500  +|   3888: 01 02 01 01 81 01 88 80 80 80 80 01 04 00 82 06   ................
         1501  +|   3904: 00 00 00 72 06 30 61 62 61 63 6b 08 02 07 04 04   ...r.0aback.....
         1502  +|   3920: 6e 64 6f 6e 08 02 05 02 05 63 74 69 76 65 04 02   ndon.....ctive..
         1503  +|   3936: 02 04 02 0b 02 04 6c 70 68 61 08 04 02 0a 02 03   ......lpha......
         1504  +|   3952: 74 6f 6d 06 02 02 02 02 09 05 02 69 63 07 02 02   tom........ic...
         1505  +|   3968: 01 06 62 61 63 6b 75 70 08 02 04 02 05 6f 6f 66   ..backup.....oof
         1506  +|   3984: 65 72 05 02 02 04 03 6d 65 72 08 02 08 01 07 63   er.....mer.....c
         1507  +|   4000: 68 61 6e 6e 65 6c 08 02 03 01 04 74 65 73 74 08   hannel.....test.
         1508  +|   4016: 02 06 04 0a 09 0d 0a 0b 07 0b 0a 08 0c 24 84 80   .............$..
         1509  +|   4032: 80 80 80 01 03 00 4e 00 00 00 1e 06 30 61 62 61   ......N.....0aba
         1510  +|   4048: 63 6b 01 02 66 04 00 22 74 00 02 22 04 04 6e 64   ck..f...t.....nd
         1511  +|   4064: 6f 6e 03 02 02 04 0a 07 05 01 03 00 10 06 06 00   on..............
         1512  +|   4080: 00 00 11 24 00 00 00 00 01 01 01 00 01 01 01 01   ...$............
         1513  +| page 3 offset 8192
         1514  +|      0: 0a 00 00 00 03 0f ec 00 0f fa 0f f3 0f ec 00 00   ................
         1515  +|   4064: 00 00 00 00 00 00 00 00 00 00 00 00 06 04 01 0c   ................
         1516  +|   4080: 01 03 02 06 04 01 0c 01 02 02 05 04 09 0c 01 02   ................
         1517  +| page 4 offset 12288
         1518  +|      0: 0d 0f e0 00 06 0f b6 00 0f f6 0f ec 0f d5 0f ca   ................
         1519  +|     16: 0f c1 0f b6 0f 70 0f 70 00 00 00 00 00 00 00 00   .....p.p........
         1520  +|   3952: 0f e0 00 46 81 0d 61 6c 70 68 61 20 63 68 61 6e   ...F..alpha chan
         1521  +|   3968: 6e 65 6c 20 62 61 63 6b 75 70 20 61 62 61 6e 64   nel backup aband
         1522  +|   3984: 6f 6e 20 74 65 73 74 20 61 62 61 63 6b 20 62 6f   on test aback bo
         1523  +|   4000: 6f 6d 65 72 20 61 74 6f 6d 20 61 6c 70 68 61 20   omer atom alpha 
         1524  +|   4016: 61 63 74 69 76 65 09 07 03 00 19 61 74 6f 6d 69   active.....atomi
         1525  +|   4032: 63 07 06 03 00 15 61 74 6f 6d 09 05 03 00 19 62   c.....atom.....b
         1526  +|   4048: 6f 6f 66 65 72 09 04 03 00 19 61 63 74 69 76 65   oofer.....active
         1527  +|   4064: 00 00 00 0c 1b 61 62 61 6e 64 6f 6e 08 02 03 00   .....abandon....
         1528  +|   4080: 17 61 62 61 66 74 08 01 03 00 17 61 62 61 63 6b   .abaft.....aback
         1529  +| page 5 offset 16384
         1530  +|      0: 0d 0f ee 00 06 0f d6 00 0f fa 0f f4 0f e8 0f e2   ................
         1531  +|     16: 0f dc 0f d6 0f d0 0f d0 00 00 00 00 00 00 00 00   ................
         1532  +|   4048: 0f ee 00 06 0e 0a 04 07 03 00 0e 01 04 06 03 00   ................
         1533  +|   4064: 0e 01 04 05 03 00 0e 01 04 04 03 00 0e 01 00 00   ................
         1534  +|   4080: 00 06 0e 01 04 02 03 00 0e 01 04 01 03 00 0e 01   ................
         1535  +| page 6 offset 20480
         1536  +|      0: 0a 00 00 00 01 0f f4 00 0f f4 00 00 00 00 00 00   ................
         1537  +|   4080: 00 00 00 00 0b 03 1b 01 76 65 72 73 69 6f 6e 04   ........version.
         1538  +| page 7 offset 24576
         1539  +|      0: 0d 00 00 00 03 0f d6 00 0f f4 0f e1 0f d6 00 00   ................
         1540  +|   4048: 00 00 00 00 00 00 09 03 02 1b 72 65 62 75 69 6c   ..........rebuil
         1541  +|   4064: 64 11 02 02 2b 69 6e 74 65 67 72 69 74 79 2d 63   d...+integrity-c
         1542  +|   4080: 86 65 63 6b 0a 01 02 1d 6f 70 74 69 6d 69 7a 65   .eck....optimize
         1543  +| end c20b.db
         1544  +}]} {}
         1545  +
         1546  +do_catchsql_test 19.1 {
  1436   1547     INSERT INTO t1(t1) VALUES('optimize');
  1437   1548   } {1 {database disk image is malformed}}
  1438   1549   
  1439   1550   sqlite3_fts5_may_be_corrupt 0
  1440   1551   finish_test
  1441   1552