/ Check-in [cb505090]
Login
SQLite training in Houston TX on 2019-11-05 (details)
Part of the 2019 Tcl Conference

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Avoid reading off the front of a page buffer when balancing a corrupt btree page.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA3-256: cb50509020d952fa9efed8df7fa08b07b71ae9bdbdefea216b6e660863291039
User & Date: drh 2019-01-14 05:48:10
Context
2019-01-14
11:56
Have fts3 ignore empty sets of parenthesis if built with SQLITE_ENABLE_FTS3_PARENTHESIS. check-in: c93c6b45 user: dan tags: trunk
05:48
Avoid reading off the front of a page buffer when balancing a corrupt btree page. check-in: cb505090 user: drh tags: trunk
2019-01-13
20:23
In dbfuzz2, avoid using a malloc in the LLVMFuzzerInitialize() initializer routine, so that no memory leaks are reported. Also, show the version of SQLite being used when the -v option is on. check-in: 824f9324 user: drh tags: trunk
Changes
Hide Diffs Side-by-Side Diffs Show Whitespace Changes Patch

Changes to src/btree.c.

  6659   6659       if( rc ){ *pRC = rc; return; }
  6660   6660       /* The allocateSpace() routine guarantees the following properties
  6661   6661       ** if it returns successfully */
  6662   6662       assert( idx >= 0 );
  6663   6663       assert( idx >= pPage->cellOffset+2*pPage->nCell+2 || CORRUPT_DB );
  6664   6664       assert( idx+sz <= (int)pPage->pBt->usableSize );
  6665   6665       pPage->nFree -= (u16)(2 + sz);
  6666         -    memcpy(&data[idx], pCell, sz);
  6667   6666       if( iChild ){
         6667  +      /* In a corrupt database where an entry in the cell index section of
         6668  +      ** a btree page has a value of 3 or less, the pCell value might point
         6669  +      ** as many as 4 bytes in front of the start of the aData buffer for
         6670  +      ** the source page.  Make sure this does not cause problems by not
         6671  +      ** reading the first 4 bytes */
         6672  +      memcpy(&data[idx+4], pCell+4, sz-4);
  6668   6673         put4byte(&data[idx], iChild);
         6674  +    }else{
         6675  +      memcpy(&data[idx], pCell, sz);
  6669   6676       }
  6670   6677       pIns = pPage->aCellIdx + i*2;
  6671   6678       memmove(pIns+2, pIns, 2*(pPage->nCell - i));
  6672   6679       put2byte(pIns, idx);
  6673   6680       pPage->nCell++;
  6674   6681       /* increment the cell count */
  6675   6682       if( (++data[pPage->hdrOffset+4])==0 ) data[pPage->hdrOffset+3]++;