Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
| Comment: | Fix another case in fts5 where a corrupt database could cause a buffer overread. |
|---|---|
| Downloads: | Tarball | ZIP archive | SQL archive |
| Timelines: | family | ancestors | descendants | both | trunk |
| Files: | files | file ages | folders |
| SHA3-256: |
f7e6cdc5625664f449d0edbe39af2d45 |
| User & Date: | dan 2019-01-01 13:59:34 |
Context
|
2019-01-01
| ||
| 18:00 | Ensure that when a new cursor is opened by OP_OpenDup, any existing cursor with the same id opened by a previous OP_OpenDup is closed first. (check-in: 5c188361 user: dan tags: trunk) | |
| 13:59 | Fix another case in fts5 where a corrupt database could cause a buffer overread. (check-in: f7e6cdc5 user: dan tags: trunk) | |
|
2018-12-31
| ||
| 21:43 | Fix harmless compiler warnings. (check-in: b57c545a user: drh tags: trunk) | |
Changes
Changes to ext/fts5/fts5_index.c.
2307 2307 if( pIter->pLeaf==0 ) return; 2308 2308 a = pIter->pLeaf->p; 2309 2309 if( fts5LeafIsTermless(pIter->pLeaf)==0 ){ 2310 2310 iPgidx = pIter->pLeaf->szLeaf; 2311 2311 iPgidx += fts5GetVarint32(&pIter->pLeaf->p[iPgidx], iOff); 2312 2312 if( iOff<4 || iOff>=pIter->pLeaf->szLeaf ){ 2313 2313 p->rc = FTS5_CORRUPT; 2314 + return; 2314 2315 }else{ 2315 2316 nKeep = 0; 2316 2317 iTermOff = iOff; 2317 2318 n = pIter->pLeaf->nn; 2318 2319 iOff += fts5GetVarint32(&a[iOff], nNew); 2319 2320 break; 2320 2321 } 2321 2322 } 2322 2323 }while( 1 ); 2323 2324 } 2324 2325 2325 2326 search_success: 2326 - 2327 2327 pIter->iLeafOffset = iOff + nNew; 2328 + if( pIter->iLeafOffset>n ){ 2329 + p->rc = FTS5_CORRUPT; 2330 + return; 2331 + } 2328 2332 pIter->iTermLeafOffset = pIter->iLeafOffset; 2329 2333 pIter->iTermLeafPgno = pIter->iLeafPgno; 2330 2334 2331 2335 fts5BufferSet(&p->rc, &pIter->term, nKeep, pTerm); 2332 2336 fts5BufferAppendBlob(&p->rc, &pIter->term, nNew, &a[iOff]); 2333 2337 2334 2338 if( iPgidx>=n ){
Changes to ext/fts5/test/fts5corrupt3.test.
1627 1627 | end crash-cf347c523f793c.db 1628 1628 }]} {} 1629 1629 1630 1630 do_catchsql_test 20.1 { 1631 1631 SELECT * FROM t1 WHERE t1 MATCH 'abandon'; 1632 1632 } {1 {vtable constructor failed: t1}} 1633 1633 1634 +#------------------------------------------------------------------------- 1635 +reset_db 1636 +do_test 21.0 { 1637 + sqlite3 db {} 1638 + db deserialize [decode_hexdb { 1639 +| size 28672 pagesize 4096 filename c22b.db 1640 +| page 1 offset 0 1641 +| 0: 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00 SQLite format 3. 1642 +| 16: 10 00 01 01 00 40 20 20 00 00 00 01 00 00 00 07 .....@ ........ 1643 +| 32: 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 ................ 1644 +| 48: 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 ................ 1645 +| 80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ................ 1646 +| 96: 00 2e 30 38 0d 00 00 00 07 0d d2 00 0f c4 0f 6d ..08...........m 1647 +| 112: 0f 02 0e ab 0e 4e 0d f6 0d d2 00 00 00 00 00 00 .....N.......... 1648 +| 3536: 00 00 22 07 06 17 11 11 01 31 74 61 62 6c 65 74 .........1tablet 1649 +| 3552: 32 74 32 07 43 52 45 41 54 45 20 54 41 42 4c 45 2t2.CREATE TABLE 1650 +| 3568: 20 74 32 28 78 29 56 06 06 17 1f 1f 01 7d 74 61 t2(x)V.......ta 1651 +| 3584: 62 6c 65 74 31 5f 63 6f 6e 66 69 67 74 31 5f 63 blet1_configt1_c 1652 +| 3600: 6f 6e 66 69 67 06 43 52 45 41 54 45 20 54 41 42 onfig.CREATE TAB 1653 +| 3616: 4c 45 20 27 74 31 5f 63 6f 6e 66 69 67 27 28 6b LE 't1_config'(k 1654 +| 3632: 20 50 52 49 4d 41 52 59 20 4b 45 59 2c 20 76 29 PRIMARY KEY, v) 1655 +| 3648: 20 57 49 54 48 4f 55 54 20 52 4f 57 49 44 5b 05 WITHOUT ROWID[. 1656 +| 3664: 07 17 21 21 01 81 01 74 61 62 6c 65 74 31 5f 64 ..!!...tablet1_d 1657 +| 3680: 6f 63 73 69 7a 65 74 31 5f 64 6f 63 73 69 7a 65 ocsizet1_docsize 1658 +| 3696: 05 43 52 45 41 54 45 20 54 41 42 4c 45 20 27 74 .CREATE TABLE 't 1659 +| 3712: 31 5f 64 6f 63 73 69 7a 65 27 28 69 64 20 49 4e 1_docsize'(id IN 1660 +| 3728: 54 45 47 45 52 20 50 52 49 4d 41 52 59 20 4b 45 TEGER PRIMARY KE 1661 +| 3744: 59 2c 20 73 7a 20 42 4c 4f 42 29 55 04 06 17 21 Y, sz BLOB)U...! 1662 +| 3760: 21 01 77 74 61 62 6c 65 74 31 5f 63 6f 6e 74 65 !.wtablet1_conte 1663 +| 3776: 6e 74 74 31 5f 63 6f 6e 74 65 6e 74 04 43 52 45 ntt1_content.CRE 1664 +| 3792: 41 54 45 20 54 41 42 4c 45 20 27 74 31 5f 63 6f ATE TABLE 't1_co 1665 +| 3808: 6e 74 65 6e 74 27 28 69 64 20 49 4e 54 45 47 45 ntent'(id INTEGE 1666 +| 3824: 52 20 50 52 49 4d 41 52 59 20 4b 45 59 2c 20 63 R PRIMARY KEY, c 1667 +| 3840: 30 29 69 03 07 17 19 19 01 81 2d 74 61 62 6c 65 0)i.......-table 1668 +| 3856: 74 31 5f 69 64 78 74 31 5f 69 64 78 03 43 52 45 t1_idxt1_idx.CRE 1669 +| 3872: 41 54 45 20 54 41 42 4c 45 20 27 74 31 5f 69 64 ATE TABLE 't1_id 1670 +| 3888: 78 27 28 73 65 67 69 64 2c 20 74 65 72 6d 2c 20 x'(segid, term, 1671 +| 3904: 70 67 6e 6f 2c 20 50 52 49 4d 41 52 59 20 4b 45 pgno, PRIMARY KE 1672 +| 3920: 59 28 73 65 67 69 64 2c 20 74 65 72 6d 29 29 20 Y(segid, term)) 1673 +| 3936: 57 49 54 48 4f 55 54 20 52 4f 57 49 44 55 02 07 WITHOUT ROWIDU.. 1674 +| 3952: 17 1b 1b 01 81 01 74 61 62 6c 65 74 31 5f 64 61 ......tablet1_da 1675 +| 3968: 74 61 74 31 5f 64 61 74 61 02 43 52 45 41 54 45 tat1_data.CREATE 1676 +| 3984: 20 54 41 42 4c 45 20 27 74 31 5f 64 61 74 61 27 TABLE 't1_data' 1677 +| 4000: 28 69 64 20 49 4e 54 45 47 45 52 20 50 52 49 4d (id INTEGER PRIM 1678 +| 4016: 41 52 59 20 4b 45 59 2c 20 62 6c 6f 63 6b 20 42 ARY KEY, block B 1679 +| 4032: 4c 4f 42 29 3a 01 06 17 11 11 08 63 74 61 62 6c LOB):......ctabl 1680 +| 4048: 65 74 31 74 31 43 52 45 41 54 45 20 56 49 52 54 et1t1CREATE VIRT 1681 +| 4064: 55 41 4c 20 54 41 42 4c 45 20 74 31 20 55 53 49 UAL TABLE t1 USI 1682 +| 4080: 4e 47 20 66 74 73 35 28 63 6f 6e 74 65 6e 74 29 NG fts5(content) 1683 +| page 2 offset 4096 1684 +| 0: 0d 0e 8e 00 06 0e 2f 00 0f e8 0e 2f 0f bd 0f 3b ....../..../...; 1685 +| 16: 0e a5 0e 49 00 00 00 00 00 00 00 00 00 00 00 00 ...I............ 1686 +| 3616: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 ................ 1687 +| 3632: 0a 03 00 36 00 00 00 00 01 04 04 00 04 01 01 01 ...6............ 1688 +| 3648: 02 01 01 03 01 01 04 01 01 3e 90 80 80 80 80 01 .........>...... 1689 +| 3664: 04 00 81 00 00 00 00 36 06 30 62 61 63 6b 75 05 .......6.0backu. 1690 +| 3680: 02 04 05 02 04 02 05 65 61 6d 65 72 05 02 02 05 .......eamer.... 1691 +| 3696: 02 02 02 05 6f 6f 6d 65 72 05 01 05 01 02 05 75 ....oomer......u 1692 +| 3712: 6d 6d 65 72 05 02 03 05 02 03 04 0d 0d 0b 0f 27 mmer...........' 1693 +| 3728: 00 17 30 00 00 00 00 01 03 03 00 03 01 01 01 02 ..0............. 1694 +| 3744: 01 01 03 01 01 7b 8c 80 80 80 80 01 04 00 81 7a ...............z 1695 +| 3760: 00 00 00 6d 06 30 61 62 61 63 6b 0d 02 07 04 04 ...m.0aback..... 1696 +| 3776: 6e 64 6f 6e 0d 02 05 02 05 63 74 69 76 65 09 02 ndon.....ctive.. 1697 +| 3792: 02 04 02 0b 02 04 6c 70 68 61 0d 04 02 0a 02 03 ......lpha...... 1698 +| 3808: 74 6f 6d 0b 02 02 02 02 09 05 02 69 63 0c 02 02 tom........ic... 1699 +| 3824: 01 06 62 61 63 6b 75 70 0d 02 04 02 05 6f 6f 6d ..backup.....oom 1700 +| 3840: 65 72 0a 02 02 03 02 08 01 07 63 68 61 6e 6e 65 er........channe 1701 +| 3856: 6c 0d 02 03 01 04 74 65 73 74 0d 02 06 04 0a 09 l.....test...... 1702 +| 3872: 0d 0a 0b 07 0b 0d 0c 0f ef 00 14 2a 00 00 00 00 ...........*.... 1703 +| 3888: 01 02 02 00 02 01 01 01 02 01 01 7b 88 80 80 80 ................ 1704 +| 3904: 80 01 04 00 81 7a 00 00 00 6d 06 30 61 62 61 63 .....z...m.0abac 1705 +| 3920: 6b 08 02 07 04 04 6e 64 6f 6e 08 02 05 02 05 63 k.....ndon.....c 1706 +| 3936: 74 69 76 65 04 02 02 04 02 0b 02 04 6c 70 68 61 tive........lpha 1707 +| 3952: 08 04 02 0a 02 03 74 6f 6d 06 02 02 02 02 09 05 ......tom....... 1708 +| 3968: 02 69 63 07 02 02 01 06 62 61 63 6b 75 70 08 02 .ic.....backup.. 1709 +| 3984: 04 02 05 6f 6f 6d 65 72 05 02 02 03 02 08 01 07 ...oomer........ 1710 +| 4000: 63 68 61 6e 6e 65 6c 08 02 03 01 04 74 65 73 74 channel.....test 1711 +| 4016: 08 02 06 04 0a 09 0d 0a 0b 07 0b 0d 0c 24 84 80 .............$.. 1712 +| 4032: 80 80 80 01 03 00 4e 00 00 00 1e 06 30 61 62 61 ......N.....0aba 1713 +| 4048: 63 6b 01 02 02 04 02 66 74 00 02 22 04 04 6e 64 ck.....ft.....nd 1714 +| 4064: 6f 6e 03 02 02 08 0a 07 05 01 03 00 10 0d 23 00 on............#. 1715 +| 4080: 00 00 11 24 00 00 00 00 01 01 01 00 01 01 01 01 ...$............ 1716 +| page 3 offset 8192 1717 +| 0: 0a 00 00 00 04 0f e5 00 0f fa 0f f3 0f ec 0f e5 ................ 1718 +| 4064: 00 00 00 00 00 06 04 01 0c 01 04 02 06 04 01 0c ................ 1719 +| 4080: 01 03 02 06 04 01 0c 01 02 02 05 04 09 0c 01 02 ................ 1720 +| page 4 offset 12288 1721 +| 0: 0d 0f 5a 00 0d 0e ce 00 0f f6 0f ec 0f e0 0f d5 ..Z............. 1722 +| 16: 0e e7 0f c1 0f b6 0f 70 0f 65 0e ce 0f 51 0f 46 .......p.e...Q.F 1723 +| 32: 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 1724 +| 3776: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 17 0a ................ 1725 +| 3792: 03 00 35 62 65 61 6d 65 72 20 62 75 6d 6d 65 72 ..5beamer bummer 1726 +| 3808: 20 62 61 63 6b 75 29 17 05 03 00 35 62 65 61 6d backu)....5beam 1727 +| 3824: 65 72 20 62 75 6d 6d 65 72 20 62 61 63 6b 75 29 er bummer backu) 1728 +| 3840: 44 0d 04 00 81 0d 61 6c 70 68 61 20 63 68 61 6e D.....alpha chan 1729 +| 3856: 6e 65 6c 20 62 61 63 6b 75 70 20 61 62 61 6e 64 nel backup aband 1730 +| 3872: 6f 6e 20 74 65 73 74 20 61 62 61 63 6b 20 62 6f on test aback bo 1731 +| 3888: 6f 6d 65 72 20 61 74 6f 6d 20 61 6c 70 68 61 20 omer atom alpha 1732 +| 3904: 61 63 74 69 76 65 09 0c 03 00 19 61 74 6f 6d 69 active.....atomi 1733 +| 3920: 63 07 0b 03 00 15 61 74 6f 6d 0f ca 00 0b 19 62 c.....atom.....b 1734 +| 3936: 6f 6f 6d 65 72 09 09 03 00 19 61 63 74 69 76 65 oomer.....active 1735 +| 3952: 44 08 04 00 81 0d 61 6c 70 68 61 20 63 68 61 6e D.....alpha chan 1736 +| 3968: 6e 65 6c 20 62 61 63 6b 75 70 20 61 62 61 6e 64 nel backup aband 1737 +| 3984: 6f 6e 20 74 65 73 74 20 61 62 61 63 6b 20 62 6f on test aback bo 1738 +| 4000: 6f 6d 65 72 20 61 74 6f 6d 20 61 6c 70 68 61 20 omer atom alpha 1739 +| 4016: 61 63 74 69 76 65 09 07 03 00 19 61 74 6f 6d 69 active.....atomi 1740 +| 4032: 63 07 06 03 00 15 61 74 6f 6d 00 00 00 0b 19 62 c.....atom.....b 1741 +| 4048: 6f 6f 6d 65 72 09 04 03 00 19 61 63 74 69 76 65 oomer.....active 1742 +| 4064: 0a 03 03 00 1b 61 62 61 6e 64 6f 6e 08 02 03 00 .....abandon.... 1743 +| 4080: 17 61 62 61 66 74 08 01 03 00 17 61 62 61 63 6b .abaft.....aback 1744 +| page 5 offset 16384 1745 +| 0: 0d 00 00 00 0d 0f b2 00 0f fa 0f f4 0f ee 0f e8 ................ 1746 +| 16: 0f e2 0f dc 0f d6 0f d0 0f ca 0f c4 0f be 0f b8 ................ 1747 +| 32: 0f b2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 1748 +| 4016: 00 00 04 0d 03 00 0e 0a 04 0c 03 00 0e 01 04 0b ................ 1749 +| 4032: 03 00 0e 01 04 0a 03 00 0e 03 04 09 03 00 0e 01 ................ 1750 +| 4048: 04 08 03 00 0e 0a 04 07 03 00 0e 01 04 06 03 00 ................ 1751 +| 4064: 0e 01 04 05 03 00 0e 03 04 04 03 00 0e 01 04 03 ................ 1752 +| 4080: 03 00 0e 01 04 02 03 00 0e 01 04 01 03 00 0e 01 ................ 1753 +| page 6 offset 20480 1754 +| 0: 0a 00 00 00 01 0f f4 00 0f f4 00 00 00 00 00 00 ................ 1755 +| 4080: 00 00 00 00 0b 03 1b 01 76 65 72 73 69 6f 6e 04 ........version. 1756 +| page 7 offset 24576 1757 +| 0: 0d 00 00 00 03 0f d6 00 0f f4 0f e1 0f d6 00 00 ................ 1758 +| 4048: 00 00 00 00 00 00 09 03 02 1b 72 65 62 75 69 6c ..........rebuil 1759 +| 4064: 64 11 02 02 2b 69 6e 74 65 67 72 69 74 79 2d 63 d...+integrity-c 1760 +| 4080: 68 65 63 6b 0a 01 02 1d 6f 70 74 69 6d 69 7a 65 heck....optimize 1761 +| end c22b.db 1762 +}]} {} 1763 + 1764 +do_catchsql_test 21.1 { 1765 + DELETE FROM t1 WHERE t1 MATCH 'ab*ndon'; 1766 +} {1 {database disk image is malformed}} 1634 1767 1635 1768 sqlite3_fts5_may_be_corrupt 0 1636 1769 finish_test 1637 1770