SQLite

Check-in [0659a666ff]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Fixed crash in integrity_check with corrupt content offset size in page header. (CVS 5881)
Downloads: Tarball | ZIP archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA1: 0659a666ff0a9fc81ee4df3c35e535164c79e588
User & Date: shane 2008-11-11 17:36:30.000
Context
2008-11-11
18:28
Cleanup in flattenSubquery. Add OOM tests for flattenSubquery. Fix issues with OOM errors causes problems for flattenSubquery. Ticket #3485. (CVS 5882) (check-in: ea5f4baa04 user: drh tags: trunk)
17:36
Fixed crash in integrity_check with corrupt content offset size in page header. (CVS 5881) (check-in: 0659a666ff user: shane tags: trunk)
15:48
Avoid signed/unsigned comparison warnings in bitvec.c by changing the types of loop variables to unsigned int. (CVS 5880) (check-in: da869446c5 user: drh tags: trunk)
Changes
Unified Diff Ignore Whitespace Patch
Changes to src/btree.c. 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

/*
** 2004 April 6
**
** The author disclaims copyright to this source code.  In place of
** a legal notice, here is a blessing:
**
**    May you do good and not evil.
**    May you find forgiveness for yourself and forgive others.
**    May you share freely, never taking more than you give.
**
*************************************************************************
** $Id: btree.c,v 1.528 2008/11/10 17:14:58 shane Exp $
**
** This file implements a external (disk-based) database using BTrees.
** See the header comment on "btreeInt.h" for additional information.
** Including a description of file format and an overview of operation.
*/
#include "btreeInt.h"













|








1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

/*
** 2004 April 6
**
** The author disclaims copyright to this source code.  In place of
** a legal notice, here is a blessing:
**
**    May you do good and not evil.
**    May you find forgiveness for yourself and forgive others.
**    May you share freely, never taking more than you give.
**
*************************************************************************
** $Id: btree.c,v 1.529 2008/11/11 17:36:30 shane Exp $
**
** This file implements a external (disk-based) database using BTrees.
** See the header comment on "btreeInt.h" for additional information.
** Including a description of file format and an overview of operation.
*/
#include "btreeInt.h"


6796
6797
6798
6799
6800
6801
6802






6803
6804
6805
6806
6807
6808
6809
6810
6811

  */
  data = pPage->aData;
  hdr = pPage->hdrOffset;
  hit = sqlite3PageMalloc( pBt->pageSize );
  if( hit==0 ){
    pCheck->mallocFailed = 1;
  }else{






    memset(hit, 0, usableSize );
    memset(hit, 1, get2byte(&data[hdr+5]));
    nCell = get2byte(&data[hdr+3]);
    cellStart = hdr + 12 - 4*pPage->leaf;
    for(i=0; i<nCell; i++){
      int pc = get2byte(&data[cellStart+i*2]);
      u16 size = 1024;
      int j;
      if( pc<=usableSize ){








>
>
>
>
>
>
|
|








6796
6797
6798
6799
6800
6801
6802
6803
6804
6805
6806
6807
6808
6809
6810
6811
6812
6813
6814
6815
6816
6817

  */
  data = pPage->aData;
  hdr = pPage->hdrOffset;
  hit = sqlite3PageMalloc( pBt->pageSize );
  if( hit==0 ){
    pCheck->mallocFailed = 1;
  }else{
    u16 contentOffset = get2byte(&data[hdr+5]);
    if (contentOffset > usableSize) {
      checkAppendMsg(pCheck, 0, 
                     "Corruption detected in header on page %d",iPage,0);
      contentOffset = usableSize; /* try to keep going */
    }
    memset(hit+contentOffset, 0, usableSize-contentOffset);
    memset(hit, 1, contentOffset);
    nCell = get2byte(&data[hdr+3]);
    cellStart = hdr + 12 - 4*pPage->leaf;
    for(i=0; i<nCell; i++){
      int pc = get2byte(&data[cellStart+i*2]);
      u16 size = 1024;
      int j;
      if( pc<=usableSize ){
Changes to test/corruptC.test. 
11
12
13
14
15
16
17
18
19
20
21
22
23



24
25
26
27
28
29
30

# This file implements regression tests for SQLite library.
#
# This file implements tests to make sure SQLite does not crash or
# segfault if it sees a corrupt database file.  It creates a base
# data base file, then tests that single byte corruptions in 
# increasingly larger quantities are handled gracefully.
#
# $Id: corruptC.test,v 1.1 2008/10/31 13:57:40 shane Exp $

catch {file delete -force test.db test.db-journal test.bu}

set testdir [file dirname $argv0]
source $testdir/tester.tcl




# Construct a compact, dense database for testing.
#
do_test corruptC-1.1 {
  execsql {
    BEGIN;
    CREATE TABLE t1(x);








|





>
>
>








11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33

# This file implements regression tests for SQLite library.
#
# This file implements tests to make sure SQLite does not crash or
# segfault if it sees a corrupt database file.  It creates a base
# data base file, then tests that single byte corruptions in 
# increasingly larger quantities are handled gracefully.
#
# $Id: corruptC.test,v 1.2 2008/11/11 17:36:30 shane Exp $

catch {file delete -force test.db test.db-journal test.bu}

set testdir [file dirname $argv0]
source $testdir/tester.tcl

# Set a uniform random seed
expr srand(0)

# Construct a compact, dense database for testing.
#
do_test corruptC-1.1 {
  execsql {
    BEGIN;
    CREATE TABLE t1(x);

64
65
66
67
68
69
70






















71



72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117

}

# Setup for the tests.  Make a backup copy of the good database in test.bu.
#
copy_file test.db test.bu
set fsize [file size test.db]























for {set tn 1} {$tn<=1024} {incr tn 1} {




  # setup for test
  db close
  copy_file test.bu test.db

  # Seek to a random location in the file, and write a random single byte
  # value.  Then do various operations on the file to make sure that
  # the database engine can handle the corruption gracefully.
  #
  set last 0
  for {set i 1} {$i<=1024 && !$last} {incr i 1} {

    # insert random byte at random location
    set fd [open test.db r+]
    fconfigure $fd -translation binary
    seek $fd [random $fsize]
    puts -nonewline $fd [format "%c" [expr [random 255]]]
    close $fd

    # do a few random operations to make sure that if 
    # they error, they error gracefully instead of crashing.
    do_test corruptC-2.$tn.$i.1 {
      sqlite3 db test.db
      catchsql {SELECT count(*) FROM sqlite_master}
      set x {}
    } {}
    do_test corruptC-2.$tn.$i.2 {
      catchsql {SELECT count(*) FROM t1}
      set x {}
    } {}
    do_test corruptC-2.$tn.$i.3 {
      catchsql {SELECT count(*) FROM t1 WHERE x>13}
      set x {}
    } {}
    do_test corruptC-2.$tn.$i.4 {
      catchsql {SELECT count(*) FROM t2}
      set x {}
    } {}
    do_test corruptC-2.$tn.$i.5 {
      catchsql {SELECT count(*) FROM t2 WHERE x<13}
      set x {}
    } {}

    # check the integrity of the database.
    # once the corruption is detected, we can stop.
    ifcapable {integrityck} {








>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
|
>
>
>













<
<
|
<
<



|




|



|



|



|








67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112


113


114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141

}

# Setup for the tests.  Make a backup copy of the good database in test.bu.
#
copy_file test.db test.bu
set fsize [file size test.db]

#
# first test some specific corruption tests found from earlier runs
#

# test that a corrupt content offset size is handled (seed 5577)
do_test corruptC-2.1 {
  db close
  copy_file test.bu test.db

  # insert corrupt byte(s)
  hexio_write test.db 2053 04

  sqlite3 db test.db
  catchsql {PRAGMA integrity_check}
} {0 {{*** in database main ***
Corruption detected in header on page 3
Multiple uses for byte 604 of page 3}}}


#
# now test for a series of quasi-random seeds
#
for {set tn 0} {$tn<=1024} {incr tn 1} {

  # Set a quasi-random random seed
  expr srand($tn)

  # setup for test
  db close
  copy_file test.bu test.db

  # Seek to a random location in the file, and write a random single byte
  # value.  Then do various operations on the file to make sure that
  # the database engine can handle the corruption gracefully.
  #
  set last 0
  for {set i 1} {$i<=1024 && !$last} {incr i 1} {

    # insert random byte at random location


    hexio_write test.db [random $fsize] [format %02x [random 255]]



    # do a few random operations to make sure that if 
    # they error, they error gracefully instead of crashing.
    do_test corruptC-3.$tn.$i.1 {
      sqlite3 db test.db
      catchsql {SELECT count(*) FROM sqlite_master}
      set x {}
    } {}
    do_test corruptC-3.$tn.$i.2 {
      catchsql {SELECT count(*) FROM t1}
      set x {}
    } {}
    do_test corruptC-3.$tn.$i.3 {
      catchsql {SELECT count(*) FROM t1 WHERE x>13}
      set x {}
    } {}
    do_test corruptC-3.$tn.$i.4 {
      catchsql {SELECT count(*) FROM t2}
      set x {}
    } {}
    do_test corruptC-3.$tn.$i.5 {
      catchsql {SELECT count(*) FROM t2 WHERE x<13}
      set x {}
    } {}

    # check the integrity of the database.
    # once the corruption is detected, we can stop.
    ifcapable {integrityck} {

126
127
128
129
130
131
132
133
134
135
136
137
138
139
140

    ifcapable {!integrityck} {
      if { $i > 5 } {
        set last -1
      }
    }

    # Check that no page references were leaked.
    do_test corruptC-2.$tn.$i.6 {
      set bt [btree_from_db db]
      db_enter db
      array set stats [btree_pager_stats $bt]
      db_leave db
      set stats(ref)
    } {0}









|








150
151
152
153
154
155
156
157
158
159
160
161
162
163
164

    ifcapable {!integrityck} {
      if { $i > 5 } {
        set last -1
      }
    }

    # Check that no page references were leaked.
    do_test corruptC-3.$tn.$i.6 {
      set bt [btree_from_db db]
      db_enter db
      array set stats [btree_pager_stats $bt]
      db_leave db
      set stats(ref)
    } {0}